2013.10.24

[uclinux-h8/uClinux-dist.git] / freeswan / doc / HowTo.html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<HTML>
<HEAD>
<TITLE> Introduction to FreeS/WAN</TITLE>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<STYLE>
BODY { font-family: serif; font-size: 11.0pt }
H1 { font-family: sans-serif; font-size: 20.0pt }
H2 { font-family: sans-serif; font-size: 17.0pt }
H3 { font-family: sans-serif; font-size: 14.0pt }
H4 { font-family: sans-serif; font-size: 11.0pt }
H5 { font-family: sans-serif; font-size: 9.0pt }
H6 { font-family: sans-serif; font-size: 8.0pt }
SUB { font-size: 8.0pt }
SUP { font-size: 8.0pt }
PRE { font-size: 9.0pt }
</STYLE>
</HEAD>
<BODY>
<CENTER><A HREF="#CONTENTS"><H1> Introduction to FreeS/WAN</H1></A><BR>
</CENTER>
<HR>
<H1 ALIGN="CENTER"><A NAME="CONTENTS">Table of Contents</A></H1>
<BR>
<BR><B><A HREF="#intro">Introduction</A></B>
<UL>
<LI><A HREF="#ipsec.intro">IPSEC, Security for the Internet Protocol</A></LI>
<UL>
<LI><A HREF="#intro.interop">Interoperating with other IPSEC 
implementations</A></LI>
<LI><A HREF="#applications">Applications of IPSEC</A></LI>
<LI><A HREF="#types">The need to authenticate gateways</A></LI>
</UL>
<LI><A HREF="#project">The FreeS/WAN project</A></LI>
<UL>
<LI><A HREF="#goals">Project goals</A></LI>
<LI><A HREF="#staff">Project team</A></LI>
<LI><A HREF="#webdocs">Information on the web</A></LI>
<LI><A HREF="#sites">Distribution sites</A></LI>
<LI><A HREF="#archives">Archives of the project mailing list</A></LI>
</UL>
<LI><A HREF="#products">Products containing FreeS/WAN</A></LI>
<UL>
<LI><A HREF="#distwith">Full Linux distributions</A></LI>
<LI><A HREF="#fw_dist">Firewall distributions</A></LI>
<LI><A HREF="#turnkey">Firewall and VPN products</A></LI>
</UL>
<LI><A HREF="#docs">Documentation</A></LI>
<UL>
<LI><A HREF="#docformats">This HowTo, in multiple formats</A></LI>
<LI><A HREF="#text">Other documents in the distribution</A></LI>
<LI><A HREF="#howto">User-written HowTo information</A></LI>
<LI><A HREF="#applied">Papers on FreeS/WAN</A></LI>
<LI><A HREF="#test">Test results</A></LI>
</UL>
<LI><A HREF="#licensing">License and copyright information</A></LI>
<LI><A HREF="#1_6">Links to other sections</A></LI>
</UL>
<B><A HREF="#install">Installing FreeS/WAN</A></B>
<UL>
<LI><A HREF="#who.install">Who needs to perform an installation?</A></LI>
<LI><A HREF="#re-install">Re-installs</A></LI>
<LI><A HREF="#before">Before starting the install</A></LI>
<UL>
<LI><A HREF="#choosek">Choosing a kernel</A></LI>
<LI><A HREF="#getkernel">Things you must have installed</A></LI>
<LI><A HREF="#2_3_3">Getting FreeS/WAN</A></LI>
<LI><A HREF="#kconfig">Kernel configuration</A></LI>
<LI><A HREF="#inst-test">Install and test a kernel before adding 
FreeS/WAN</A></LI>
</UL>
<LI><A HREF="#building">Building and installing the software</A></LI>
<UL>
<LI><A HREF="#allbut">Everything but kernel installation</A></LI>
<LI><A HREF="#newk">Installing the new kernel</A></LI>
<LI><A HREF="#2_4_3">Make sure Lilo knows about the new kernel</A></LI>
</UL>
<LI><A HREF="#testinstall">Testing to see if install succeeded</A></LI>
<LI><A HREF="#2_6">Where to go from here</A></LI>
</UL>
<B><A HREF="#setup">Configuration</A></B>
<UL>
<LI><A HREF="#example">Our example networks</A></LI>
<LI><A HREF="#testnet">Configuration for a testbed network</A></LI>
<LI><A HREF="#setupnet">Set up and test networking</A></LI>
<UL>
<LI><A HREF="#forward">Enabling packet forwarding</A></LI>
<LI><A HREF="#othersoft">Other software</A></LI>
</UL>
<LI><A HREF="#rtfm">RTFM (please Read The Fine Manuals)</A></LI>
<LI><A HREF="#usersakey">Setting up RSA authentication keys</A></LI>
<UL>
<LI><A HREF="#genrsakey">Generating an RSA key pair</A></LI>
<LI><A HREF="#keyexchange">Exchanging authentication keys</A></LI>
<LI><A HREF="#useRSA">Using RSA signatures for authentication</A></LI>
</UL>
<LI><A HREF="#basic.conf">The configuration file</A></LI>
<UL>
<LI><A HREF="#setup.conf">The setup section of ipsec.conf(5)</A></LI>
<LI><A HREF="#conn.default">Connection defaults</A></LI>
<LI><A HREF="#edit.conn">Editing a connection description</A></LI>
<LI><A HREF="#which">Which is which?</A></LI>
</UL>
<LI><A HREF="#examples">Example setups</A></LI>
<UL>
<LI><A HREF="#VPNex">VPN</A></LI>
<LI><A HREF="#roadex">Road Warrior</A></LI>
<LI><A HREF="#oppex">Opportunistic encryption</A></LI>
</UL>
<LI><A HREF="#handy">Simplifying ipsec.conf files</A></LI>
<LI><A HREF="#fw.basic">Is there a firewall in play?</A></LI>
<LI><A HREF="#testing">Testing the installation</A></LI>
<UL>
<LI><A HREF="#matching">Matching numbers</A></LI>
<LI><A HREF="#testsetup">Sanity checking</A></LI>
<LI><A HREF="#test">Starting a connection</A></LI>
<LI><A HREF="#pingtest">Ping tests</A></LI>
<LI><A HREF="#tcpdump">Testing with tcpdump</A></LI>
</UL>
<LI><A HREF="#links.conf">What next?</A></LI>
<LI><A HREF="#otherconf">Other configuration possibilities</A></LI>
<UL>
<LI><A HREF="#choose">Choosing connection types</A></LI>
<LI><A HREF="#prodsecrets">Using shared secrets in production</A></LI>
<LI><A HREF="#prodman">Using manual keying in production</A></LI>
<LI><A HREF="#boot">Setting up connections at boot time</A></LI>
<LI><A HREF="#multitunnel">Multiple tunnels between the same two 
gateways</A></LI>
<LI><A HREF="#biggate">Many tunnels from a single gateway</A></LI>
<LI><A HREF="#extruded">Extruded Subnets</A></LI>
<LI><A HREF="#roadvirt">Road Warrior with virtual IP address</A></LI>
<LI><A HREF="#dynamic">Dynamic Network Interfaces</A></LI>
<LI><A HREF="#unencrypted">Unencrypted tunnels</A></LI>
</UL>
</UL>
<B><A HREF="#manpages">FreeS/WAN manual pages</A></B>
<UL>
<LI><A HREF="#man.file">Files</A></LI>
<LI><A HREF="#man.command">Commands</A></LI>
<LI><A HREF="#man.lib">Library routines</A></LI>
</UL>
<B><A HREF="#firewall">FreeS/WAN and firewalls</A></B>
<UL>
<LI><A HREF="#packets">IPSEC packets</A></LI>
<UL>
<LI><A HREF="#noport">ESP and AH do not have ports</A></LI>
<LI><A HREF="#header">Header layout</A></LI>
</UL>
<LI><A HREF="#filters">Filtering rules for IPSEC packets</A></LI>
<UL>
<LI><A HREF="#through">IPSEC through the gateway</A></LI>
<LI><A HREF="#ipsec_only">Preventing non-IPSEC traffic</A></LI>
<LI><A HREF="#unknowngate">Filtering packets from unknown gateways</A></LI>
</UL>
<LI><A HREF="#otherfilter">Other packet filters</A></LI>
<UL>
<LI><A HREF="#ICMP">ICMP filtering</A></LI>
<LI><A HREF="#traceroute">UDP packets for traceroute</A></LI>
<LI><A HREF="#l2tp">UDP for L2TP</A></LI>
</UL>
<LI><A HREF="#NAT">IPSEC and NAT</A></LI>
<UL>
<LI><A HREF="#nat_ok">NAT on or behind the IPSEC gateway works</A></LI>
<LI><A HREF="#nat_bad">NAT between gateways is problematic</A></LI>
<LI><A HREF="#">Other references on NAT and IPSEC</A></LI>
</UL>
<LI><A HREF="#updown">Calling firewall scripts, named in ipsec.conf(5)</A>
</LI>
<UL>
<LI><A HREF="#pre_post">Scripts called at IPSEC start and stop</A></LI>
<LI><A HREF="#up_down">Scripts called at connection up and down</A></LI>
<LI><A HREF="#ipchains.script">Scripts for ipchains</A></LI>
<LI><A HREF="#dhr">DHR on the updown script</A></LI>
<LI><A HREF="#exupdownchains">Example updown script for ipchains</A></LI>
</UL>
<LI><A HREF="#examplefw">Ipchains firewall configuration at boot</A></LI>
<UL>
<LI><A HREF="#Ranch.trinity">Scripts based on Ranch's work</A></LI>
<LI><A HREF="#seawall">The Seattle firewall</A></LI>
<LI><A HREF="#rcf">The RCF scripts</A></LI>
</UL>
</UL>
<B><A HREF="#debug">Linux FreeS/WAN Troubleshooting</A></B>
<UL>
<LI><A HREF="#report">Problem Reporting</A></LI>
<LI><A HREF="#logusage">Logs used</A></LI>
<LI><A HREF="#info">Information available on your system</A></LI>
<UL>
<LI><A HREF="#pages">man pages provided</A></LI>
<LI><A HREF="#statusinfo">Status information</A></LI>
</UL>
<LI><A HREF="#pluto.problems">Pluto problem hints</A></LI>
<UL>
<LI><A HREF="#gdb.pluto">Using GDB on Pluto</A></LI>
</UL>
<LI><A HREF="#ifconfig">ifconfig reports for KLIPS debugging</A></LI>
<LI><A HREF="#testgates">Testing between security gateways</A></LI>
<LI><A HREF="#c.guide">Claudia's guide</A></LI>
</UL>
<B><A HREF="#kernelconfig">Kernel configuration for FreeS/WAN</A></B>
<UL>
<LI><A HREF="#notall">Not everyone needs to worry about kernel 
configuration</A></LI>
<LI><A HREF="#assume">Assumptions and notation</A></LI>
<UL>
<LI><A HREF="#labels">Labels used</A></LI>
</UL>
<LI><A HREF="#kernelopt">Kernel options for FreeS/WAN</A></LI>
</UL>
<B><A HREF="#roadmap">Distribution Roadmap: What's Where in Linux 
FreeS/WAN</A></B>
<UL>
<LI><A HREF="#top">Top directory</A></LI>
<LI><A HREF="#doc">Documentation</A></LI>
<LI><A HREF="#klips.roadmap">KLIPS: kernel IP security</A></LI>
<LI><A HREF="#pluto.roadmap">Pluto key and connection management daemon</A>
</LI>
<LI><A HREF="#utils">Utils</A></LI>
<LI><A HREF="#lib">Libraries</A></LI>
<UL>
<LI><A HREF="#fswanlib">FreeS/WAN Library</A></LI>
<LI><A HREF="#otherlib">Imported Libraries</A></LI>
</UL>
</UL>
<B><A HREF="#compat">Linux FreeS/WAN Compatibility Guide</A></B>
<UL>
<LI><A HREF="#spec">Implemented parts of the IPSEC Specification</A></LI>
<UL>
<LI><A HREF="#in">In Linux FreeS/WAN</A></LI>
<LI><A HREF="#dropped">Deliberately ommitted</A></LI>
<LI><A HREF="#not">Not (yet) in Linux FreeS/WAN</A></LI>
</UL>
<LI><A HREF="#pfkey">Our PF-Key implementation</A></LI>
<UL>
<LI><A HREF="#pfk.port">PF-Key portability</A></LI>
</UL>
<LI><A HREF="#otherk">Kernels other than 2.0.38 and 2.2.18</A></LI>
<UL>
<LI><A HREF="#kernel.2.0">Other 2.0.x Intel Kernels</A></LI>
<LI><A HREF="#kernel.production">2.2 and 2.4 Kernels</A></LI>
</UL>
<LI><A HREF="#otherdist">Intel Linux distributions other than Redhat</A></LI>
<UL>
<LI><A HREF="#rh7">Redhat 7.0</A></LI>
<LI><A HREF="#suse">SuSE Linux</A></LI>
<LI><A HREF="#slack">Slackware</A></LI>
<LI><A HREF="#deb">Debian</A></LI>
<LI><A HREF="#caldera">Caldera</A></LI>
</UL>
<LI><A HREF="#CPUs">CPUs other than Intel</A></LI>
<UL>
<LI><A HREF="# strongarm">Corel Netwinder (StrongARM CPU)</A></LI>
<LI><A HREF="#yellowdog">Yellow Dog Linux on Power PC</A></LI>
<LI><A HREF="#mklinux">Mklinux</A></LI>
<LI><A HREF="#alpha">Alpha 64-bit processors</A></LI>
<LI><A HREF="#SPARC">Sun SPARC processors</A></LI>
<LI><A HREF="#mips">MIPS processors</A></LI>
<LI><A HREF="#coldfire">Motorola Coldfire</A></LI>
</UL>
<LI><A HREF="#multiprocessor">Multiprocessor machines</A></LI>
<LI><A HREF="#hardware">Support for crypto hardware</A></LI>
<LI><A HREF="#ipv6">IP version 6 (IPng)</A></LI>
<UL>
<LI><A HREF="#v6.back">IPv6 background</A></LI>
</UL>
</UL>
<B><A HREF="#10">Interoperation with other IPSEC implementations</A></B>
<UL>
<LI><A HREF="#patch.interop">Patches to extend interoperability</A></LI>
<LI><A HREF="#interop.problem">Interoperability problems</A></LI>
<UL>
<LI><A HREF="#noDES">Systems that want to use single DES</A></LI>
</UL>
<LI><A HREF="#otherpub">Interop HowTo documents</A></LI>
<LI><A HREF="#mail.interop">Interoperation with specific products</A></LI>
<UL>
<LI><A HREF="#oldswan">Older versions of FreeS/WAN</A></LI>
<LI><A HREF="#OpenBSD">OpenBSD</A></LI>
<LI><A HREF="#FreeBSD">FreeBSD</A></LI>
<LI><A HREF="#NetBSD">NetBSD</A></LI>
<LI><A HREF="#Cisco">Cisco Routers</A></LI>
<LI><A HREF="#bay">Nortel (Bay Networks) Contivity switch</A></LI>
<LI><A HREF="#Raptor">Raptor Firewall</A></LI>
<LI><A HREF="#gauntlet">Gauntlet firewall GVPN</A></LI>
<LI><A HREF="#checkpoint">Checkpoint Firewall-1</A></LI>
<LI><A HREF="#redcreek">Redcreek Ravlin</A></LI>
<LI><A HREF="#sentinel">SSH Sentinel</A></LI>
<LI><A HREF="#Fsecure">F-Secure VPN for Windows</A></LI>
<LI><A HREF="#watchguard">Watchguard</A></LI>
<LI><A HREF="#Xedia">Xedia Access Point/QVPN</A></LI>
<LI><A HREF="#pgpnet">PGP Mac and Windows IPSEC Client</A></LI>
<LI><A HREF="#IRE">IRE Safenet/SoftPK</A></LI>
<LI><A HREF="#borderware">Borderware</A></LI>
<LI><A HREF="#freegate">Freegate</A></LI>
<LI><A HREF="#timestep">Timestep</A></LI>
<LI><A HREF="#shiva">Shiva/Intel LANrover</A></LI>
<LI><A HREF="#solaris">Sun Solaris</A></LI>
<LI><A HREF="#sonicwall">Sonicwall</A></LI>
<LI><A HREF="#radguard">Radguard</A></LI>
<LI><A HREF="#winclient">Windows clients</A></LI>
<LI><A HREF="#NTdomain">NT domains vs. tunnels</A></LI>
<LI><A HREF="#win2k">Windows 2000</A></LI>
</UL>
</UL>
<B><A HREF="#politics">History and politics of cryptography</A></B>
<UL>
<LI><A HREF="#intro.politics">Introduction</A></LI>
<UL>
<LI><A HREF="#11_1_1">History</A></LI>
<LI><A HREF="#intro.poli">Politics</A></LI>
<LI><A HREF="#11_1_3">Links</A></LI>
<LI><A HREF="#11_1_4">Outline of this section</A></LI>
</UL>
<LI><A HREF="#leader">From our project leader</A></LI>
<UL>
<LI><A HREF="#gilmore">Swan: Securing the Internet against Wiretapping</A>
</LI>
<LI><A HREF="#policestate">Stopping wholesale monitoring</A></LI>
</UL>
<LI><A HREF="#weak">Government promotion of weak crypto</A></LI>
<UL>
<LI><A HREF="#escrow">Escrowed encryption</A></LI>
<LI><A HREF="#shortkeys">Limited key lengths</A></LI>
</UL>
<LI><A HREF="#exlaw">Cryptography Export Laws</A></LI>
<UL>
<LI><A HREF="#USlaw">US Law</A></LI>
<LI><A HREF="#wrong">What's wrong with restrictions on cryptography</A></LI>
<LI><A HREF="#Wassenaar">The Wassenaar Arrangement</A></LI>
<LI><A HREF="#status">Export status of Linux FreeS/WAN</A></LI>
<LI><A HREF="#help">Help spread IPSEC around</A></LI>
</UL>
<LI><A HREF="#desnotsecure">DES is Not Secure</A></LI>
<UL>
<LI><A HREF="#deshware">Dedicated hardware breaks DES in a few days</A></LI>
<LI><A HREF="#spooks">Spooks may break DES faster yet</A></LI>
<LI><A HREF="#desnet">Networks break DES in a few weeks</A></LI>
<LI><A HREF="#no_des">We disable DES</A></LI>
<LI><A HREF="#40joke">40-bits is laughably weak</A></LI>
<LI><A HREF="#altdes">Triple DES is almost certainly secure</A></LI>
<LI><A HREF="#aes.ipsec">AES in IPSEC</A></LI>
</UL>
<LI><A HREF="#press">Press coverage of Linux FreeS/WAN:</A></LI>
<UL>
<LI><A HREF="#11_6_1">FreeS/WAN 1.0 press</A></LI>
<LI><A HREF="#release">Press release for version 1.0</A></LI>
</UL>
</UL>
<B><A HREF="#ipsec.detail">The IPSEC protocols</A></B>
<UL>
<LI><A HREF="#others">Applying IPSEC</A></LI>
<UL>
<LI><A HREF="#advantages">Advantages of IPSEC</A></LI>
<LI><A HREF="#limitations">Limitations of IPSEC</A></LI>
<LI><A HREF="#uses">IPSEC is a general mechanism for securing IP</A></LI>
<LI><A HREF="#authonly">Using authentication without encryption</A></LI>
<LI><A HREF="#encnoauth">Encryption without authentication is dangerous</A>
</LI>
<LI><A HREF="#multilayer">Multiple layers of IPSEC processing are 
possible</A></LI>
<LI><A HREF="#traffic.resist">Resisting traffic analysis</A></LI>
</UL>
<LI><A HREF="#primitives">Cryptographic components</A></LI>
<UL>
<LI><A HREF="#block.cipher">Block ciphers</A></LI>
<LI><A HREF="#hash.ipsec">Hash functions</A></LI>
<LI><A HREF="#DH.keying">Diffie-Hellman key agreement</A></LI>
<LI><A HREF="#RSA.auth">RSA authentication</A></LI>
</UL>
<LI><A HREF="#structure">Structure of IPSEC</A></LI>
<UL>
<LI><A HREF="#IKE.ipsec">IKE (Internet Key Exchange)</A></LI>
<LI><A HREF="#services">IPSEC Services, AH and ESP</A></LI>
<LI><A HREF="#AH.ipsec">The Authentication Header (AH)</A></LI>
<LI><A HREF="#ESP.ipsec">Encapsulated Security Payload (ESP)</A></LI>
</UL>
<LI><A HREF="#modes">IPSEC modes</A></LI>
<UL>
<LI><A HREF="#tunnel.ipsec">Tunnel mode</A></LI>
<LI><A HREF="#transport.ipsec">Transport mode</A></LI>
</UL>
<LI><A HREF="#parts">FreeS/WAN parts</A></LI>
<UL>
<LI><A HREF="#KLIPS.ipsec">KLIPS: Kernel IPSEC Support</A></LI>
<LI><A HREF="#Pluto.ipsec">The Pluto daemon</A></LI>
<LI><A HREF="#command">The ipsec(8) command</A></LI>
<LI><A HREF="#ipsec.conf">Linux FreeS/WAN configuration file</A></LI>
</UL>
<LI><A HREF="#key">Key management</A></LI>
<UL>
<LI><A HREF="#current">Currently Implemented Methods</A></LI>
<LI><A HREF="#notyet">Methods not yet implemented</A></LI>
</UL>
</UL>
<B><A HREF="#lists">Mailing lists and newsgroups</A></B>
<UL>
<LI><A HREF="#list.fs">Mailing lists about FreeS/WAN</A></LI>
<UL>
<LI><A HREF="#projlist">The project mailing lists</A></LI>
<LI><A HREF="#archive">Archives of the lists</A></LI>
</UL>
<LI><A HREF="#indexes">Indexes of mailing lists</A></LI>
<LI><A HREF="#otherlists">Lists for related software and topics</A></LI>
<UL>
<LI><A HREF="#linux.lists">Linux mailing lists</A></LI>
<LI><A HREF="#ietf">Lists for IETF working groups</A></LI>
<LI><A HREF="#other">Other mailing lists</A></LI>
</UL>
<LI><A HREF="#newsgroups">Usenet newsgroups</A></LI>
</UL>
<B><A HREF="#weblink">Web links</A></B>
<UL>
<LI><A HREF="#freeswan">The Linux FreeS/WAN Project</A></LI>
<UL>
<LI><A HREF="#patch">Add-ons and patches for FreeS/WAN</A></LI>
<LI><A HREF="#dist">Distributions including FreeS/WAN</A></LI>
<LI><A HREF="#used">Things FreeS/WAN uses or could use</A></LI>
<LI><A HREF="#alternatives">Other approaches to VPNs for Linux</A></LI>
</UL>
<LI><A HREF="#ipsec.link">The IPSEC Protocols</A></LI>
<UL>
<LI><A HREF="#general">General IPSEC or VPN information</A></LI>
<LI><A HREF="#overview">IPSEC overview documents or slide sets</A></LI>
<LI><A HREF="#otherlang">IPSEC information in languages other than 
English</A></LI>
<LI><A HREF="#RFCs1">RFCs and other reference documents</A></LI>
<LI><A HREF="#analysis">Analysis and critiques of IPSEC protocols</A></LI>
<LI><A HREF="#IP.background">Background information on IP</A></LI>
</UL>
<LI><A HREF="#implement">IPSEC Implementations</A></LI>
<UL>
<LI><A HREF="#linuxprod">Linux products</A></LI>
<LI><A HREF="#router">IPSEC in router products</A></LI>
<LI><A HREF="#fw.web">IPSEC in firewall products</A></LI>
<LI><A HREF="#ipsecos">Operating systems with IPSEC support</A></LI>
<LI><A HREF="#opensource">Open source IPSEC implementations</A></LI>
<LI><A HREF="#interop">Interoperability</A></LI>
</UL>
<LI><A HREF="#linux.link">Linux links</A></LI>
<UL>
<LI><A HREF="#linux.basic">Basic and tutorial Linux information</A></LI>
<LI><A HREF="#general">General Linux sites</A></LI>
<LI><A HREF="#docs1">Documentation</A></LI>
<LI><A HREF="#advroute.web">Advanced routing</A></LI>
<LI><A HREF="#linsec">Security for Linux</A></LI>
<LI><A HREF="#firewall.linux">Linux firewalls</A></LI>
<LI><A HREF="#linux.misc">Miscellaneous Linux information</A></LI>
</UL>
<LI><A HREF="#crypto.link">Crypto and security links</A></LI>
<UL>
<LI><A HREF="#security">Crypto and security resources</A></LI>
<LI><A HREF="#policy">Cryptography law and policy</A></LI>
<LI><A HREF="#crypto.tech">Cryptography technical information</A></LI>
<LI><A HREF="#compsec">Computer and network security</A></LI>
<LI><A HREF="#people">Links to home pages</A></LI>
</UL>
</UL>
<B><A HREF="#ourgloss">Glossary for the Linux FreeS/WAN project</A></B>
<UL>
<LI><A HREF="#jump">Jump to a letter in the glossary</A></LI>
<LI><A HREF="#gloss">Other glossaries</A></LI>
<LI><A HREF="#definitions">Definitions</A></LI>
</UL>
<B><A HREF="#biblio">Bibliography for the Linux FreeS/WAN project</A></B>
<BR>
<BR><B><A HREF="#RFC">IPSEC RFCs and related documents</A></B>
<UL>
<LI><A HREF="#RFCfile">The RFCs.tar.gz Distribution File</A></LI>
<LI><A HREF="#sources">Other sources for RFCs &amp; Internet drafts</A></LI>
<UL>
<LI><A HREF="#RFCdown">RFCs</A></LI>
<LI><A HREF="#drafts">Internet Drafts</A></LI>
<LI><A HREF="#FIPS1">FIPS standards</A></LI>
<LI><A HREF="#doc.cd">Document CDs</A></LI>
</UL>
<LI><A HREF="#RFCs.tar.gz">What's in the RFCs.tar.gz bundle?</A></LI>
<UL>
<LI><A HREF="#rfc.ov">Overview RFCs</A></LI>
<LI><A HREF="#basic.prot">Basic protocols</A></LI>
<LI><A HREF="#key.ike">Key management</A></LI>
<LI><A HREF="#rfc.detail">Details of various things used</A></LI>
<LI><A HREF="#rfc.ref">Older RFCs which may be referenced</A></LI>
<LI><A HREF="#rfc.dns">RFCs for secure DNS service, which IPSEC may use</A>
</LI>
<LI><A HREF="#rfc.exp">RFCs labelled &quot;experimental&quot;</A></LI>
<LI><A HREF="#rfc.rel">Related RFCs</A></LI>
</UL>
</UL>
<B><A HREF="#18">FreeS/WAN FAQ</A></B>
<UL>
<LI><A HREF="#questions">Questions</A></LI>
<LI><A HREF="#whatzit"> What is FreeS/WAN?</A></LI>
<LI><A HREF="#problems">How do I report a problem or seek help?</A></LI>
<LI><A HREF="#generic">Generic questions</A></LI>
<UL>
<LI><A HREF="#lemme_out">This is too complicated. Isn't there an easier 
way?</A></LI>
<LI><A HREF="#commercial">Can I get commercial support for this product?</A>
</LI>
<LI><A HREF="#modify.faq">Can I modify FreeS/WAN to ...?</A></LI>
<LI><A HREF="#contrib.faq">Can I contribute to the project?</A></LI>
<LI><A HREF="#ddoc.faq">Is there detailed design documentation?</A></LI>
<LI><A HREF="#interop.faq">Can FreeS/WAN talk to ...?</A></LI>
<LI><A HREF="#old_to_new">Can different FreeS/WAN versions talk to each 
other?</A></LI>
<LI><A HREF="#versions">Does FreeS/WAN run on my version of Linux?</A></LI>
<LI><A HREF="#k.versions">Does FreeS/WAN run on the latest kernel 
version?</A></LI>
<LI><A HREF="#faq.speed">Is a ... fast enough to handle FreeS/WAN with 
... connections?</A></LI>
</UL>
<LI><A HREF="#compile.faq">Compilation problems</A></LI>
<UL>
<LI><A HREF="#gmp.h_missing">gmp.h: No such file or directory</A></LI>
<LI><A HREF="#noVM">... virtual memory exhausted</A></LI>
</UL>
<LI><A HREF="#setup.faq">Life's little mysteries</A></LI>
<UL>
<LI><A HREF="#cantping">I cannot ping ....</A></LI>
<LI><A HREF="#forever">It takes forever to ...</A></LI>
<LI><A HREF="#route">I send packets to the tunnel with route(8) but 
they vanish</A></LI>
<LI><A HREF="#down_route">When a tunnel goes down, packets vanish</A></LI>
<LI><A HREF="#firewall_ate">The firewall ate my packets!</A></LI>
<LI><A HREF="#dropconn">Dropped connections</A></LI>
<LI><A HREF="#tcpdump.faq">TCPdump on the gateway shows strange things</A>
</LI>
<LI><A HREF="#no_trace">Traceroute does not show anything between the 
gateways</A></LI>
</UL>
<LI><A HREF="#man4debug">Testing in stages</A></LI>
<UL>
<LI><A HREF="#nomanual">Manually keyed connections don't work</A></LI>
<LI><A HREF="#spi_error">One manual connection works, but second one 
fails</A></LI>
<LI><A HREF="#man_no_auto">Manual connections work, but automatic 
keying doesn't</A></LI>
<LI><A HREF="#nocomp">IPSEC works, but connections using compression 
fail</A></LI>
<LI><A HREF="#pmtu.broken">Small packets work, but large transfers fail</A>
</LI>
<LI><A HREF="#subsub">Subnet-to-subnet works, but tests from the 
gateways don't</A></LI>
</UL>
<LI><A HREF="#error">Interpreting error messages</A></LI>
<UL>
<LI><A HREF="#unreachable">SIOCADDRT:Network is unreachable</A></LI>
<LI><A HREF="#noKLIPS">ipsec_setup: Fatal error, kernel appears to lack 
KLIPS</A></LI>
<LI><A HREF="#noDNS">ipsec_setup: ... failure to fetch key for ... from 
DNS</A></LI>
<LI><A HREF="#dup_address">ipsec_setup: ... interfaces ... and ... 
share address ...</A></LI>
<LI><A HREF="#kflags">ipsec_setup: Cannot adjust kernel flags</A></LI>
<LI><A HREF="#conn_name">Connection names in Pluto error messages</A></LI>
<LI><A HREF="#cantorient">Pluto: ... can't orient connection</A></LI>
<LI><A HREF="#noconn">Pluto: ... no connection is known</A></LI>
<LI><A HREF="#nosuit">Pluto: ... no suitable connection ...</A></LI>
<LI><A HREF="#noconn.auth">Pluto: ... no connection has been authorized</A>
</LI>
<LI><A HREF="#noDESsupport">Pluto: ... OAKLEY_DES_CBC is not supported.</A>
</LI>
<LI><A HREF="#notransform"> Pluto: ... no acceptable transform</A></LI>
<LI><A HREF="#econnrefused">ECONNREFUSED error message</A></LI>
<LI><A HREF="#SAused">... trouble writing to /dev/ipsec ... SA already 
in use</A></LI>
<LI><A HREF="#ignore">... ignoring ... payload</A></LI>
</UL>
<LI><A HREF="#canI">Can I ...</A></LI>
<UL>
<LI><A HREF="#reload">Can I reload connection info without restarting?</A>
</LI>
<LI><A HREF="#masq.faq">Can I use several masqueraded subnets?</A></LI>
<LI><A HREF="#dup_route">Can I use subnets masqueraded to the same 
addresses?</A></LI>
<LI><A HREF="#road.masq">Can I assign a road warrior an address on my 
net?</A></LI>
<LI><A HREF="#QoS">Can I use Quality of Service routing with FreeS/WAN?</A>
</LI>
<LI><A HREF="#deadtunnel">Can I recognise dead tunnels and shut them 
down?</A></LI>
<LI><A HREF="#demanddial">Can I build IPSEC tunnels over a 
demand-dialed link?</A></LI>
<LI><A HREF="#GRE">Can I build GRE tunnels over IPSEC?</A></LI>
<LI><A HREF="#PKIcert"> Does FreeS/WAN support X.509 or other PKI 
certificates?</A></LI>
<LI><A HREF="#Radius">Does FreeS/WAN support Radius or other user 
authentication?</A></LI>
<LI><A HREF="#noDES.faq">Does FreeS/WAN support single DES encryption?</A>
</LI>
</UL>
<LI><A HREF="#spam">Why don't you restrict the mailing lists to reduce 
spam?</A></LI>
</UL>
<B><A HREF="#performance">Performance of FreeS/WAN</A></B>
<UL>
<LI><A HREF="#methods">Methods of mesasuring</A></LI>
</UL>
<HR>
<H1><A name="intro">Introduction</A></H1>
<P>This section gives an overview of:</P>
<UL>
<LI>what IP Security (IPSEC) does</LI>
<LI>how IPSEC works</LI>
<LI>why we are implementing it for Linux</LI>
<LI>how this implementation works</LI>
</UL>
<P> This section is intended to cover only the essentials, <EM>things 
you should know before trying to use FreeS/WAN.</EM></P>
<P> For more detailed background information, see the <A href="politics.html">
history and politics</A> and <A href="ipsec.html">IPSEC protocols</A>
 sections.</P>
<H2><A name="ipsec.intro">IPSEC, Security for the Internet Protocol</A></H2>
<P> FreeS/WAN is a Linux implementation of the IPSEC (IP security) 
protocols. IPSEC provides encryption and authentication services at the 
IP (Internet Protocol) level of the network protocol stack. </P>
<P> Working at this level, IPSEC can protect any traffic carried over 
IP, unlike other encryption which generally protects only a particular 
higher-level protocol -- <A href="#PGP">PGP</A> for mail, <A href="#SSH">
SSH</A> for remote login, <A href="#SSL">SSL</A> for web work, and so 
on. This has both advantages and disadvantages, discussed in our <A href="#others">
IPSEC section</A></P>
<P> IPSEC can be used on any machine which does IP networking. 
Dedicated IPSEC gateway machines can be installed wherever required to 
protect traffic. IPSEC can also run on routers, on firewall machines, 
on various application servers, and on end-user desktop or laptop 
machines. </P>
<P> Three protocols are used</P>
<UL>
<LI><A href="#AH">AH</A> (Authentication Header) provides a 
packet-level authentication service</LI>
<LI><A href="#ESP">ESP</A> (Encapsulating Security Payload) provides 
encryption plus authentication</LI>
<LI><A href="#IKE">IKE</A> (Internet Key Exchange) negotiates 
connection parameters, including  keys, for the other two</LI>
</UL>
<P> Our implementation has three main parts:</P>
<UL>
<LI><A href="#KLIPS">KLIPS</A> (kernel IPSEC) implements AH, ESP, and 
packet handling within the  kernel</LI>
<LI><A href="#Pluto">Pluto</A> (an IKE daemon) implements IKE, 
negotiating connections with other  systems</LI>
<LI>various scripts provide an adminstrator's interface to the 
 machinery</LI>
</UL>
<P> IPSEC is optional for the current (version 4) Internet Protocol. 
FreeS/WAN adds IPSEC to the Linux IPv4 network stack. Implementations 
of <A href="#ipv6.gloss">IP version 6</A> are required to include 
IPSEC. Work toward integrating FreeS/WAN into the Linux IPv6 stack has <A
href="#ipv6">started</A>.</P>
<P>For more information on IPSEC, see our <A href="ipsec.html">IPSEC 
protocols</A> section, our collection of <A href="#ipsec.link">IPSEC 
links</A> or the <A href="rfc.html">RFCs</A> which are the official 
definitions of these protocols.</P>
<H3><A name="intro.interop">Interoperating with other IPSEC 
implementations</A></H3>
<P>IPSEC is designed to let different implementations work together. We 
provide:</P>
<UL>
<LI>a <A href="#implement">list</A> of some other implementations</LI>
<LI>information on <A href="interop.html">using FreeS/WAN with other 
 implementations</A></LI>
</UL>
<P> The VPN Consortium fosters cooperation among implementers and 
interoperability among implementations. Their <A href="http://www.vpnc.org/">
web site</A> has much more information. </P>
<H3><A name="applications">Applications of IPSEC</A></H3>
<P> Because IPSEC operates at the network layer, it is remarkably 
flexible and can be used to secure nearly any type of Internet traffic. 
Two applications, however, are extremely widespread:</P>
<UL>
<LI>a <A href="#vpn">Virtual Private Network</A>, or VPN, allows 
multiple  sites to communicate securely over an insecure Internet by 
encrypting all  communication between the sites.</LI>
<LI>&quot;Road Warriors&quot; connect to the office from home, or perhaps from a 
hotel  somewhere</LI>
</UL>
<P> There is enough opportunity in these applications that vendors are 
flocking to them. IPSEC is being built into routers, into firewall 
products, and into major operating systems, primarily to support these 
applications. See our <A href="#implement">list</A> of implementations 
for details. </P>
<P> We support both of those applications, and various less common 
IPSEC applications as well, but we also add one of our own:</P>
<UL>
<LI>opportunistic encryption, the ability to set up FreeS/WAN gateways 
so  that any two of them can encrypt to each other, and will do so 
whenever  packets pass between them.</LI>
</UL>
<P>This is an extension we are adding to the protocols. FreeS/WAN is 
the first prototype implementation, though we hope other IPSEC 
implementations will adopt the technique once we demonstrate it. See <A href="#goals">
project goals</A> below for why we think this is important.</P>
<P>A somewhat more detailed description of each of these applications 
is below. Our <A href="config.html">setup</A> section will show you how 
to build each of them.</P>
<H4><A name="makeVPN">Using secure tunnels to create a VPN</A></H4>
<P> A VPN, or <STRONG>V</STRONG>irtual <STRONG>P</STRONG>rivate <STRONG>
N</STRONG>etwork lets two networks communicate securely when the only 
connection between them is over a third network which they do not trust.</P>
<P>The method is to put a security gateway machine between each of the 
communicating networks and the untrusted network. The gateway machines 
encrypt packets entering the untrusted net and decrypt packets leaving 
it, creating a secure tunnel through it.</P>
<P>If the cryptography is strong, the implementation is careful, and 
the administration of the gateways is competent, then one can 
reasonably trust the security of the tunnel. The two networks then 
behave like a single large private network, some of whose links are 
encrypted tunnels through untrusted nets.</P>
<P>Actual VPNs are often more complex. One organisation may have fifty 
branch offices, plus some suppliers and clients, with whom it needs to 
communicate securely. Another might have 5,000 stores, or 50,000 
point-of-sale devices. The untrusted network need not be the Internet. 
All the same issues arise on a corporate or institutional network 
whenever two departments want to communicate privately with each other.</P>
<P>Administratively, the nice thing about many VPN setups is that large 
parts of them are static. You know the IP addresses of most of the 
machines involved. More important, you know they will not change on 
you. This simplifies some of the admin work. For cases where the 
addresses do change, see the next section.</P>
<H4><A name="road.intro">Road Warriors</A></H4>
<P> The prototypical &quot;Road Warrior&quot; is a traveller connecting to home 
base from a laptop machine. Administratively, most of the same problems 
arise for a telecommuter connecting from home to the office, especially 
if the telecommuter does not have a static IP address.</P>
<P>For purposes of this document:</P>
<UL>
<LI>anyone with a dynamic IP address is a &quot;Road Warrior&quot;.</LI>
<LI>any machine doing IPSEC processing is a &quot;gateway&quot;. Think of the 
 single-user road warrior machine as a gateway with a degenerate subnet 
 (one machine, itself) behind it.</LI>
</UL>
<P> These require somewhat different setup than VPN gateways with 
static addresses and with client systems behind them, but are basically 
not problematic.</P>
<P> There are some difficulties which appear for some road warrior 
connections:</P>
<UL>
<LI>Road Wariors who get their addresses via DHCP may have a problem. 
 FreeS/WAN can quite happily build and use a tunnel to such an address, 
but  when the DHCP lease expires, FreeS/WAN does not know that. The 
tunnel  fails, and the only recovery method is to tear it down and 
re-build  it.</LI>
<LI>If Network Address Translation (NAT) is applied between the two 
IPSEC  Gateways, this breaks IPSEC. IPSEC authenticates packets on an 
end-to-end  basis, to ensure they are not altered en route. NAT 
rewrites packets as  they go by. See our <A href="#NAT">firewalls</A>
 document for details.</LI>
</UL>
<P> In most situations, however, FreeS/WAN supports road warrior 
connections just fine.</P>
<H4><A name="opp.intro">Opportunistic encryption</A></H4>
<P> One of the reasons we are working on FreeS/WAN is that it gives us 
the opportunity to add what we call opportuntistic encryption. This 
means that any two FreeS/WAN gateways will be able to encrypt their 
traffic, <EM>even if the two gateway administrators have had no prior 
contact and neither system has any preset information about the other</EM>
.  We hope this will go some distance toward creating a secure 
Internet, an environment where message privacy is the default. See our <A
href="politics.html">history and politics of cryptography</A> section 
for discussion.</P>
<P> Both systems pick up the authentication information they need from 
the <A href="glossary.html#DNS.gloss">DNS</A> (domain name service), 
the service they already use to look up IP addresses. Of course the 
administrators must put that information in the DNS, and must set up 
their gateways with opportunistic encryption enabled.  Once that is 
done, everything is automatic. The gateways look for opportunities to 
encrypt, and encrypt whatever they can. Whether they also accept 
unencrypted communication is a policy decision the administrator can 
make.</P>
<P> A draft document giving most of the details of how we plan to 
implement this has been posted to the mailing list. See <A href="#applied">
links</A> below.</P>
<P> Only one current product we know of implements a form of 
opportunistic encryption. <A href="#ssmail">Secure sendmail</A> will 
automatically encrypt server-to-server mail transfers whenever possible.</P>
<H3><A name="types">The need to authenticate gateways</A></H3>
<P>A complication, which applies to any type of connection -- VPN, Road 
Warrior or opportunistic -- is that a secure connection cannot be 
created magically. <EM>There must be some mechanism which enables the 
gateways to reliably identify each other.</EM> Without this, they 
cannot sensibly trust each other and cannot create a genuinely secure 
link.</P>
<P>Any link they do create without some form of <A href="#authentication">
authentication</A> will be vulnerable to a <A href="#middle">
man-in-the-middle attack</A>. If <A href="#alicebob">Alice and Bob</A>
 are the people creating the connection, a villian who can re-route or 
intercept the packets can pose as Alice while talking to Bob and pose 
as Bob while talking to Alice. Alice and Bob then both talk to the man 
in the middle, thinking they are talking to each other, and the villain 
gets everything sent on the bogus &quot;secure&quot; connection.</P>
<P>There are two ways to build links securely, both of which exclude 
the man-in-the middle:</P>
<UL>
<LI>with <STRONG>manual keying</STRONG>, Alice and Bob share a secret 
key  (which must be transmitted securely, perhaps in a note or via PGP 
or SSH)  to encrypt their messages. For FreeS/WAN, such keys are stored 
in the <A href="manpage.d/ipsec.conf.5.html">ipsec.conf(5)</A> file. Of 
course, if  an enemy gets the key, all is lost.</LI>
<LI>with <STRONG>automatic keying</STRONG>, the two systems 
authenticate  each other and negotiate their own secret keys. The keys 
are automatically  changed periodically.</LI>
</UL>
<P> Automatic keying is much more secure, since if an enemy gets one 
key only messages between the previous re-keying and the next are 
exposed. It is therefore the usual mode of operation for most IPSEC 
deployment, and the mode we use in our setup examples. FreeS/WAN does 
support manual keying for special circumstanes. See this <A href="#prodman">
section</A>. </P>
<P> For automatic keying, the two systems must authenticate each other 
during the negotiations. There is a choice of methods for this:</P>
<UL>
<LI>a <STRONG>shared secret</STRONG> provides authentication. If Alice 
and  Bob are the only ones who know a secret and Alice recives a 
message which  could not have been created without that secret, then 
Alice can safely  believe the message came from Bob.</LI>
<LI>a <A href="#public">public key</A> can also provide authentication. 
If  Alice receives a message signed with Bob's private key (which of 
course  only he should know) and she has a trustworthy copy of his 
public key (so  that she can verify the signature), then she can safely 
believe the  message came from Bob.</LI>
</UL>
<P> Public key techniques are much preferable, for reasons discussed <A href="#choose">
later</A>, and will be used in all our setup examples. FreeS/WAN does 
also support auto-keying with shared secret authentication. See this <A href="#prodsecrets">
section</A>.</P>
<H2><A name="project">The FreeS/WAN project</A></H2>
<H3><A name="goals">Project goals</A></H3>
<P> Our overall goal in FreeS/WAN is to make the Internet more secure 
and more private.</P>
<P> Our IPSEC implementation supports VPNs and Road Warriors of course. 
Those are important applications. Many users will want FreeS/WAN to 
build corporate VPNs or to provide secure remote access. </P>
<P> However, our goals in building it go beyond that. We are trying to 
help <STRONG>build security into the fabric of the Internet</STRONG> so 
that anyone who choses to communicate securely can do so, as easily as 
they can do anything else on the net.</P>
<P>More detailed objectives are:</P>
<UL>
<LI>help make IPSEC widespread by providing an implementation with no 
 restrictions: 
<UL>
<LI>freely available in source code under the <A href="#GPL">GNU 
General  Public License</A></LI>
<LI>running on a range of readily available hardware</LI>
<LI>not subject to US or other nations' <A href="#exlaw">export 
 restrictions</A>.
<BR> Note that in order to avoid <EM>even the appearance</EM> of being 
 subject to those laws, the project cannot accept software 
 contributions -- <EM>not even one-line bug fixes</EM> -- from US 
 residents or citizens.</LI>
</UL>
</LI>
<LI>provide a high-quality IPSEC implementation for Linux 
<UL>
<LI>portable to all CPUs Linux supports: <A href="#CPUs">(current  list)</A>
</LI>
<LI>interoperable with other IPSEC implementations: <A href="interop.html">
(current list)</A></LI>
</UL>
</LI>
<LI>extend IPSEC to do <A href="#carpediem">opportunistic encryption</A>
 so  that 
<UL>
<LI>any two systems can secure their communications without a 
pre-arranged connection</LI>
<LI>secure connections can be the default, falling back to unencrypted 
connections only  if: 
<UL>
<LI><EM>both</EM> the partner is not set up to co-operate on securing 
the connection </LI>
<LI><EM>and</EM> your policy allows insecure connections </LI>
</UL>
</LI>
<LI>a significant fraction of all Internet traffic is encrypted</LI>
</UL>
</LI>
</UL>
<P> If we can get opportunistic encryption implemented and widely 
deployed, then it becomes impossible for even huge well-funded agencies 
to monitor the net. </P>
<P> See also our section on <A href="politics.html">history and politics</A>
 of cryptography, which includes our project leader's <A href="#gilmore">
rationale</A> for starting the project.</P>
<H3><A name="staff">Project team</A></H3>
 Two of the team are from the US and can therefore contribute no code: 
<UL>
<LI>John Gilmore: founder and policy-maker (<A href="http://www.toad.com/gnu/">
home page</A>) </LI>
<LI>Hugh Daniel: project manager, Most Demented Tester, and 
occasionally Pointy-Haired Boss </LI>
</UL>
 The rest of the team are Canadians, working in Canada. (<A href="#status">
Why Canada?</A>) 
<UL>
<LI>Henry Spencer: technical lead, script programming </LI>
<LI>Hugh Redelmeier: <A href="#Pluto">Pluto daemon</A> programmer </LI>
<LI>Richard Guy Briggs: <A href="#KLIPS">KLIPS</A> programmer </LI>
<LI>Claudia Schmeing: technical support via the <A href="mail.html">
mailing lists</A></LI>
<LI>Sandy Harris: documentation </LI>
</UL>
 The project is funded by civil libertarians who consider our goals 
worthwhile. The team are paid for this work. 
<P> People outside this core team have made substantial contributions. 
See </P>
<UL>
<LI>our <A href="../CREDITS">CREDITS</A> file </LI>
<LI>the <A href="#patch">patches and add-ons</A> section of our web 
references file </LI>
<LI>lists below of user-written <A href="#howto">HowTos</A> and <A href="#applied">
other papers</A></LI>
</UL>
 Additional contributions are welcome. See the <A href="#contrib.faq">
FAQ</A> for details. 
<H3><A name="webdocs">Information on the web</A></H3>
<UL>
<LI>current site, <A href="http://liberty.freeswan.org">freeswan.org</A></LI>
<LI>original project site at <A href="http://www.xs4all.nl/~freeswan">
xs4all.nl</A></LI>
</UL>
<A name="sites">
<H3><A name="sites">Distribution sites</A></H3>
 FreeS/WAN is available from a number of sites: 
<UL>
<LI>Primary site, in Holland: 
<UL>
<LI><A href="http://www.xs4all.nl/~freeswan">HTTP</A></LI>
<LI><A href="ftp://ftp.xs4all.nl/pub/crypto/freeswan">FTP</A></LI>
</UL>
</LI>
<LI><A href="http://www.flora.org/freeswan">Eastern Canada</A> (limited 
 resouces)</LI>
<LI><A href="ftp://ludwig.doculink.com/pub/freeswan/">Eastern Canada</A>
 (has older versions too)</LI>
<LI><A href="ftp://ntsc.notBSD.org/pub/crypto/freeswan/">Eastern Canada</A>
 (has older versions too)</LI>
<LI><A href="ftp://ftp.kame.net/pub/freeswan/">Japan</A></LI>
<LI><A href="ftp://ftp.futuredynamics.com/freecrypto/FreeSWAN/">Hong 
 Kong</A></LI>
<LI><A href="ftp://ipsec.dk/pub/freeswan/">Denmark</A></LI>
<LI><A href="ftp://ftp.net.lut.ac.uk/freeswan">the UK</A></LI>
<LI><A href="http://storm.alert.sk/comp/mirrors/freeswan/">Slovak 
 Republic</A></LI>
<LI><A href="http://the.wiretapped.net/security/vpn-tunnelling/freeswan/">
Australia</A></LI>
<LI><A href="http://freeswan.technolust.cx/">technolust</A></LI>
<LI>Ivan Moore's <A href="http://snowcrash.tdyc.com/freeswan/">site</A></LI>
<LI>the <A href="http://www.cryptoarchive.net/">Crypto Archive</A> on 
the <A href="http://www.securityportal.com/"> Security Portal</A> site </LI>
</UL>
<H4><A name="munitions">The &quot;munitions&quot; archive of Linux crypto software</A>
</H4>
 There is also an archive of Linux crypto software called &quot;munitions&quot;, 
with its own mirrors in a number of countries. It includes FreeS/WAN, 
though not always the latest version. Some of its sites are: 
<UL>
<LI><A href="http://munitions.vipul.net/">Germany</A></LI>
<LI><A href="http://munitions.iglu.cjb.net/">Italy</A></LI>
<LI><A href="http://munitions2.xs4all.nl/">Netherlands</A></LI>
</UL>
<P> Any of those will have a list of other &quot;munitions&quot; mirrors. </P>
<H3><A name="archives">Archives of the project mailing list</A></H3>
 Until quite recently, there was only one FreeS/WAN mailing list, and 
archives of it were: 
<UL>
<LI><A href="http://www.sandelman.ottawa.on.ca/linux-ipsec">Canada</A></LI>
<LI><A href="http://www.nexial.com">Holland</A></LI>
</UL>
 The two archives use completely different search engines. You might 
want to try both.
<P> More recently we have expanded to five lists, each with its own 
archive. </P>
<P><A href="mail.html"> More information</A> on mailing lists.</P>
<H2><A name="products">Products containing FreeS/WAN</A></H2>
<P> Unfortunately the <A href="#exlaw">export laws</A> of some 
countries restrict the distribution of strong cryptography. FreeS/WAN 
is therefore not in the standard Linux kernel and not in all CD or web 
distributions.</P>
<H3><A name="distwith">Full Linux distributions</A></H3>
<P>FreeS/WAN is included in various general-purpose Linux distributions 
from countries (shown in brackets) with more sensible laws:</P>
<UL>
<LI>European versions of <A href="http://www.suse.com/">SuSE Linux</A>
 (Germany)</LI>
<LI><A href="http://www.conectiva.com">Conectiva</A> (Brazil)</LI>
<LI>the server edition of <A href="http://www.corel.com">Corel</A>
 Linux (Canada)</LI>
<LI>the <A href="http://www.pld.org.pl/">Polish(ed) Linux Distribution</A>
 (Poland)</LI>
<LI><A href="http://www.trustix.net/">Trustix Secure Linux</A> (Norway) </LI>
</UL>
<P> For distributions which do not include FreeS/WAN and are not Redhat 
(which we develop and test on), there is additional information in our <A
href="#otherdist">compatibility</A> section.</P>
<P> We would appreciate hearing of other distributions using FreeS/WAN.</P>
<H3><A name="fw_dist">Firewall distributions</A></H3>
 FreeS/WAN is also included in, or available for, more specialised 
distributions intended for firewall and router applications: 
<UL>
<LI><A href="http://www.gibraltar.at/">Gibraltar</A> is based on Debian 
GNU/Linux.  It is bootable directly from CD-ROM,  usable on a machine 
without hard disk. </LI>
<LI>The <A href="http://www.linuxrouter.org/">Linux Router Project</A>
 produces a distribution that will boot from a single floppy. Charles 
 Steinkuehler's LRP site provides <A href="http://lrp.steinkuehler.net/Packages/ipsec1.5.htm">
 FreeS/WAN packaged for LRP</A>. </LI>
<LI><A href="http://www.astaro.com/products/index.html">Astaro Security 
Linux</A> includes FreeS/WAN.  It has some web-based tools for managing 
the firewall that include FreeS/WAN configuration  management.</LI>
<LI><A href="http://www.linuxwall.de">Linuxwall</A></LI>
</UL>
<P> There are also several sets of scripts available for managing a 
firewall which is also acting as a FreeS/WAN IPSEC gateway. See this <A href="#examplefw">
list</A>. </P>
<P> We would appreciate hearing of other specialised distributions 
using FreeS/WAN, or other script sets.</P>
<H3><A name="turnkey">Firewall and VPN products</A></H3>
<P>Several vendors use FreeS/WAN as the IPSEC component of a turnkey 
firewall or VPN product:</P>
<UL>
<LI>The <A href="http://www.lasat.com">LASAT SafePipe[tm]</A> series. 
is an  IPSEC box based on an embedded MIPS running Linux with FreeS/WAN 
and a  web-config front end. This company also host our freeswan.org 
web  site.</LI>
<LI><A href="www.rebel.com">Rebel.com</A>, makers of the Netwinder ARM 
Linux  machine, have a new (mid-2000) division <A href="http://www.rebel.com/solutions/smb/rn-what.html">
Rebel Networks</A> whose product uses FreeS/WAN.</LI>
<LI><A href="http://www.linuxmagic.com/vpn/index.html">Linux Magic</A>
 offer  a VPN/Firewall product using FreeS/WAN</LI>
<LI>The Software Group's <A href="http://www.wanware.com/sentinet/">
Sentinet</A> product uses  FreeS/WAN</LI>
<LI><A href="http://www.merilus.com">Merilus</A> use FreeS/WAN in their 
Gateway Guardian firewall  product and in their <A href="http://www.merilus.com/firecard/index.shtml">
Firecard</A> product, a Linux firewall on a PCI card. </LI>
<LI><A href="http://www.kyzo.com/">Kyzo</A> have a &quot;pizza box&quot; product 
line with various types of  server, all running from flash. One of them 
is an IPSEC/PPTP VPN server. </LI>
<LI><A href="http://www.linuxcare.com">Linuxcare</A> have &quot;bootable 
business card&quot;  usable as a recovery disk for broken Linux systems. </LI>
</UL>
<P>We would appreciate hearing of other products using FreeS/WAN.</P>
<H2><A name="docs">Documentation</A></H2>
<H3><A name="docformats">This HowTo, in multiple formats</A></H3>
<P> FreeS/WAN documentation up to version 1.5 was available only in 
HTML. Now we ship two formats: </P>
<UL>
<LI>as HTML, one file for each doc section plus a global <A href="toc.html">
Table of Contents</A></LI>
<LI><A href="HowTo.html">one big HTML file</A> for easy searching</LI>
</UL>
 and provide a Makefile to generate other formats if required:
<UL>
<LI><A href="HowTo.pdf">PDF</A></LI>
<LI><A href="HowTo.ps">Postscript</A></LI>
<LI><A href="HowTo.txt">ASCII text</A></LI>
</UL>
<P> The Makefile assumes the htmldoc tool is available. You can 
download it from <A href="http://www.easysw.com">Easy Software</A>. You 
may need to get source code and change some of the limits in <NOBR><VAR>
#define MAX_&lt;whatever&gt;</VAR></NOBR> statements near the end of its <VAR>
config.h.in</VAR> file. Otherwise it core dumps when those limits are 
exceeded on large files such as our glossary.html.</P>
<P> All formats should be available at the following websites: </P>
<UL>
<LI><A href="http://www.freeswan.org/doc.html">FreeS/WAN project</A></LI>
<LI><A href="http://www.linuxdoc.org">Linux Documentation Project</A></LI>
</UL>
<P> The distribution tarball has only the two HTML formats.</P>
<P><STRONG> Note:</STRONG> If you need the latest doc version, for 
example to see if anyone has managed to set up interoperation between 
FreeS/WAN and whatever, then you should download the current snapshot. 
What is on the web is documentation as of the last release. Snapshots 
have all changes I've checked in to date. </P>
<H3><A name="text">Other documents in the distribution</A></H3>
<P>Text files in the main distribution directory are README, INSTALL, 
CREDITS, CHANGES, BUGS and COPYING.</P>
<P> FreeS/WAN commands and library routines are documented in standard 
Unix manual pages, accessible via the <VAR>man(1)</VAR> command. We 
also provide them in HTML, accessible from this <A href="manpages.html">
index</A>. In the event of disagreement between this HowTo and the man 
pages, the man pages are more likely correct since they are written by 
the implementers. Please report any such inconsistency on the <A href="mail.html">
mailing list</A>.</P>
<P>The gmp (GNU multi-precision arithmetic) and Libdes (encryption) 
libraries which we use each have their own documentation. You can find 
it in those library directories.</P>
<H3><A name="howto">User-written HowTo information</A></H3>
<P> Various user-written HowTo documents are available. The ones 
covering FreeS/WAN-to-FreeS/WAN connections are:</P>
<UL>
<LI>Jean-Francois Nadeau's <A href="http://jixen.tripod.com/">practical 
 configurations</A> document</LI>
<LI>Jens Zerbst's HowTo on <A href="http://dynipsec.tripod.com/">Using 
FreeS/WAN with dynamic IP  addresses</A>. </LI>
<LI>an entry in Kurt Seifried's <A href="http://www.securityportal.com/lskb/kben00000013.html">
 Linux Security Knowledge Base</A>. </LI>
<LI>a section of David Ranch's <A href="http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html#trinityos">
Trinity  OS Guide</A></LI>
<LI>a section in David Bander's book <A href="#bander">Linux Security 
Toolkit</A></LI>
</UL>
<P> User-wriiten HowTo material may be <STRONG>especially helpful if 
you need to interoperate with another IPSEC implementation</STRONG>. We 
have neither the equipment nor the manpower to test such 
configurations. Users seem to be doing an admirable job of filling the 
gaps.</P>
<UL>
<LI>list of user-written <A href="#otherpub">interoperation HowTos</A>
 in our interop document </LI>
</UL>
<P> Check what version of FreeS/WAN user-written documents cover. The 
software is under active development and the current version may be 
significantly different from what an older document describes.</P>
<H3><A name="applied">Papers on FreeS/WAN</A></H3>
<P> Two design documents show current team thinking on new 
developments: </P>
<UL>
<LI><A href="opportunism.spec">Opportunistic Encryption</A> by 
technical lead Henry Spencer and Pluto programmer Hugh Redelemeier </LI>
<LI><A href="klips2.spec">KLIPS II Design</A> by kernel programmer 
Richard Guy Briggs </LI>
</UL>
 Both documents are works in progress and frequently revised. The most 
recent versions can be found either in FreeS/WAN snapshots or on the <A href="mail.html">
design mailing list</A>. Comments should go to that list. 
<P> A number of papers giving further background on FreeS/WAN, or 
exploring its future or its applications, are also available:</P>
<UL>
<LI>Both Henry and Richard gave talks on FreeS/WAN at the 2000 <A href="http://www.linuxsymposium.org">
Ottawa Linux Symposium</A>. 
<UL>
<LI>Richard's <A href="http://www.conscoop.ottawa.on.ca/rgb/freeswan/ols2k/">
slides</A></LI>
<LI>Henry's paper</LI>
<LI>MP3 audio of their talks is available from the <A href="http://www.linuxsymposium.org/">
conference page</A></LI>
</UL>
</LI>
<LI><CITE>Moat: A Virtual Private Network Appliances and Services 
 Platform</CITE> is a paper about large-scale (a few 100 links) use of 
 FreeS/WAN in a production application at AT&amp;T research. It is 
 available in Postscript or PDF from co-author Steve Bellovin's <A href="http://www.research.att.com/~smb/papers/index.html">
papers list  page</A>.</LI>
<LI>One of the Moat co-authors, John Denker, has also written 
<UL>
<LI>a <A href="http://www.quintillion.com/fdis/moat/ipsec+routing/">
proposal</A> for how future versions of FreeS/WAN might interact with 
routing  protocols</LI>
<LI>a <A href="http://www.quintillion.com/fdis/moat/wishlist.html">
wishlist</A> of possible new features</LI>
</UL>
</LI>
<LI>Bart Trojanowski's web page has a draft design for <A href="http://www.jukie.net/~bart/linux-ipsec/">
 hardware acceleration</A> of FreeS/WAN </LI>
<LI>Feczak Szabolcs' <A href="http://feczo.koli.kando.hu/vpn/">thesis</A>
, in Hungarian </LI>
</UL>
<P> Several of these provoked interesting discussions on the mailing 
lists, worth searching for in the <A href="#archive">archives</A>. </P>
<H3><A name="test">Test results</A></H3>
<UL>
<LI><A href="http://tsc.llwybr.org.uk/public/reports/SWANTIME/">Speed 
test  results</A> from a Welsh university.</LI>
</UL>
<P> Interoperability test results are in our <A href="#result">web links</A>
 document. </P>
<H2><A name="licensing">License and copyright information</A></H2>
 All code and documentation written for this project is distributed 
under either the GNU General Public License (<A href="#GPL">GPL</A>) or 
the GNU Library General Public License. For details see the COPYING 
file in the distribution. 
<P>Not all code in the distribution is ours, however. See the CREDITS 
file for details. In particular, note that the <A href="#LIBDES">Libdes</A>
 library has its own license.</P>
<H2><A NAME="1_6">Links to other sections</A></H2>
<P>For more detailed background information, see:</P>
<UL>
<LI><A href="politics.html">history and politics</A> of cryptography</LI>
<LI><A href="ipsec.html">IPSEC protocols</A></LI>
</UL>
<P> To begin working with FreeS/WAN, go to: </P>
<UL>
<LI><A href="install.html">installation</A> if you need to install 
FreeS/WAN</LI>
<LI><A href="config.html">setup</A> if your distribution came with 
FreeS/WAN so  you just need to configure your IPSEC links</LI>
</UL>
<HR>
<H1><A name="install">Installing FreeS/WAN</A></H1>
<H2><A name="who.install">Who needs to perform an installation?</A></H2>
<P> Some Linux distributions, <A href="#distwith">listed in the 
introduction</A>, ship with FreeS/WAN included. If you are using one of 
them, you need not perform a FreeS/WAN installation. That should all be 
done for you already. All you have to do is:</P>
<UL>
<LI>include FreeS/WAN in your installation choices, or add it to your 
 configuration later</LI>
<LI>if you install kernel source, be sure to use a version which 
includes  the FreeS/WAN patches. This should be available from your CDs 
or from the  web site for your distribution.</LI>
</UL>
<P>Users of such distributions can skip ahead to our section on <A href="config.html">
setting up</A> FreeS/WAN.</P>
<P> Unfortunately, due to <A href="#exlaw">export laws</A> restricting 
distribution of strong cryptography, not all distributions include 
FreeS/WAN. Moreover, the standard kernel does not include the kernel 
parts of FreeS/WAN. Many people will need to install FreeS/WAN, 
including patching and rebuilding their kernel.</P>
<H2><A name="re-install">Re-installs</A></H2>
 If this is the first FreeS/WAN install on this machine, skip this 
section. 
<P> The scripts are designed so that a re-install -- to upgrade to a 
later FreeS/WAN version or to a later kernel version -- can be done in 
exactly the same way as an original install. </P>
<P> The scripts know enough, for example, not to apply the same kernel 
patch twice and not to overwrite your <VAR>ipsec.conf</VAR> or <VAR>
ipsec.secrets</VAR> files. However, they will overwrite the _updown 
script. If you have modified that, save your version under another name 
before doing the install. </P>
<P> Also, they may not always work exactly as designed. Check the <A href="../BUGS">
BUGS</A> file for any caveats in the current version. </P>
<DL>
<DT>to install a new version of FreeS/WAN, with your current kernel</DT>
<DD> Download and untar the new FreeS/WAN. Since kernel source has 
already been installed and configured, you can skip a few steps in the 
procedure below. Go to <A href="#building">Building FreeS/WAN</A>, and 
follow normal FreeS/WAN procedures from there. </DD>
<DT>to install a new kernel, on a machine which already has FreeS/WAN 
installed</DT>
<DD> Download and untar the new kernel source. Since this kernel is not 
yet configured, that is the next thing to do.Go to <A href="#kconfig">
 Kernel configuration</A>, and follow normal FreeS/WAN procedures from 
there. </DD>
<DT>to upgrade both kernel and FreeS/WAN</DT>
<DD> You need both new kernel source and new FreeS/WAN source. Follow 
the full FreeS/WAN install procedure. </DD>
</DL>
<H2><A name="before">Before starting the install</A></H2>
<P>Configure, compile, install, and test a Linux kernel, without 
FreeS/WAN.</P>
<P> If you have not done this before, you will need to read the <A href="http://metalab.unc.edu/LDP/HOWTO/Kernel-HOWTO.html">
Kernel HowTo</A>.</P>
<H3><A name="choosek">Choosing a kernel</A></H3>
<H4><A name="2.2">2.2.19 for many users</A></H4>
<P> Many users can continue to run kernels from the 2.2 series of Linux 
production <A href="#kernel">kernels</A>. </P>
<P> At time of writing (June 2001), the latest version is 2.2.19. If 
you are going to use a 2.2 kernel, we <STRONG>strongly recommend 2.2.19</STRONG>
 since: </P>
<UL>
<LI>It has a number of small security fixes not found in earlier 
kernels. </LI>
<LI>There have been changes in some kernel file formats that make it 
difficult to compile a current FreeS/WAN with earlier kernels. </LI>
</UL>
 If you really need to use an older 2.2.x kernel for some reason, see 
the note in the FreeS/WAN 1.91 release <A href="../CHANGES">CHANGES</A>
 file for a workaround for the compile difficulty, and the <A href="mail.html">
 mailing list archives</A> for more details if needed. 
<H4><A name="2.4">2.4.x is possible</A></H4>
 The new 2.4 series of kernels began in January 2001 and are currently 
(early June) at 2.4.5. FreeS/WAN is known to work on 2.4.5. 
<P> 2.4 has new firewalling code called <A href="http://netfilter.kernelnotes.org/unreliable-guides/index.html">
netfilter</A>. This may provide good reasons to move to 2.4, especially 
on for gateway machines. </P>
<H4><A name="2.0">2.0.x should still work</A></H4>
<P> In the older 2.0.x kernel series, we no longer support versions 
earlier than 2.0.38. 2.0.38 has fixes for a number of small 
security-related glitches, worth having on a security gateway machine. 
FreeS/WAN has been tested on 2.0.39, and does work there.</P>
<P> Recent versions of FreeS/WAN are not heavily tested on 2.0 kernels. 
Most of both the development team and the user community are on 2.2, or 
even 2.4, by now.</P>
<P> We are likely to drop 2.0 support entirely if some problem crops up 
that would mean retaining it required significant work from our team. </P>
<H4><A name="devkernel">Development kernels</A></H4>
 Development kernels are a separate series, work-in-progress versions 
for use by kernel developers. By convention, production kernels have an 
even second digit in the version number (2.0, 2.2, 2.4) and development 
kernels have an odd digit there (2.1, 2.3, 2.5). 
<P> At time of writing, no more 2.3 kernels are being produced and the 
2.5 series has not been started yet, so just now development kernels 
are not an issue. No doubt a 2.5 series will be started in the next few 
months. </P>
<P><STRONG> Development kernels are not intended for production use</STRONG>
. They change often and include new code which has not yet been 
thoroughly tested. <STRONG>This regularly breaks things, including 
FreeS/WAN</STRONG>. The FreeS/WAN team does not have the resources to 
chase the moving target; our priority is developing FreeS/WAN on stable 
kernels. If you encounter a problem on a development kernel, please 
solve it (you are a developer, aren't you?) and send us a patch. Of 
course, we will happily discuss problems and solutions on the <A href="mail.html">
mailing list</A>, but we are unlikely to do much work on actually 
implementing a solution. </P>
<P> Fortunately we have a user who regularly fixes problems with 
FreeS/WAN on development kernels (merci, Marc), and we do fix some 
ourselves. FreeS/WAN often works just fine on a development kernel; 
it's just that there's no guarantee. </P>
<P> If you are going to test FreeS/WAN with a development kernel, we 
recommend you <STRONG>use our latest snapshot</STRONG>. This is the 
FreeS/WAN version most likely to have the patches required to work on a 
recent development kernel. The released version of FreeS/WAN is likely 
to be out of date for your purposes.</P>
<H3><A name="getkernel">Things you must have installed</A></H3>
<P> If you have a CD distribution of Linux, it should include 
everything you need. </P>
<H4><A " name="tool.lib">Tools and libraries</A></H4>
 Use your distribution's tools to load:
<UL>
<LI>tools 
<UL>
<LI>a GNU C compiler (gcc or egcs)</LI>
<LI>assembler and linker for your architecture (the bin86 package on 
PCs)</LI>
<LI>miscellaneous development tools such as make(1) and patch(1)</LI>
</UL>
</LI>
<LI>libraries, both headers and object modules 
<UL>
<LI>standard compiler libraries such as glibc</LI>
<LI>the GMP (<STRONG>G</STRONG>NU <STRONG>M</STRONG>ulti-<STRONG>P</STRONG>
recision) library, required for Pluto's public  key calculations. </LI>
<LI>ncurses library if you want to use menuconfig (recommended)</LI>
</UL>
</LI>
</UL>
<P> There are some <STRONG>common slips</STRONG> worth avoiding here: </P>
<UL>
<LI>not installing the GMP library. Pluto will not compile without it. 
See the FreeS/WAN FAQ for <A href="#gmp.h_missing">more detail</A> if 
required. </LI>
<LI>not installing patch(1). Our scripts need it to apply our patches 
to the kernel. </LI>
</UL>
<H4><A name="kernel.">Kernel source code</A></H4>
 You need the source code for the kernel because you must patch and 
re-compile it to install FreeS/WAN. There are several places you can 
get this: 
<UL>
<LI>off your distribution CDs </LI>
<LI>from your ditribution vendor's website </LI>
<LI>from kernel.org </LI>
</UL>
<H5><A name="kernel.cd">Kernel from CD</A></H5>
 You can install the kernel from your distribution CD. It may be in two 
packages. 
<UL>
<LI>kernel source</LI>
<LI>kernel headers</LI>
</UL>
 However, if your CD is not recent, it may have an older kernel, in 
which case we suggest getting more recent kernel source from the net.
<H5>Vendor kernels</H5>
<P> All the major distribution vendors provide kernel source. See for 
example:</P>
<UL>
<LI>Red Hat's list of <A href="http://www.redhat.com/mirrors.html">
mirror  sites</A></LI>
<LI>SuSE's <A href="http://www.suse.com/us/support/download/index.html">
download page</A></LI>
</UL>
<P> Using a kernel from your distribution vendor may save you some 
annoyance later.</P>
<P> Different distributions put the kernel in different places 
(/vmlinuz,  /boot/vmlinuz, /boot/vmlinuz-2.2.15 ...) and set lilo (the <STRONG>
 Li</STRONG>nux <STRONG>lo</STRONG>ader) up differently. With a  kernel 
from your distribution vendor, everything should work right. With 
 other combinations, a newly compiled kernel may be installed in one 
place  while lilo is looking in another. You can of course adjust the 
kernel  Makefile and/or /etc/lilo.conf to solve this problem, but we 
suggest just  avoiding it.</P>
<P> Also, distributions vendors may include patches or drivers which 
are not  part of the standard kernel. If you install a standard kernel, 
you must  either do without those features or download those patches 
and add them  yourself.</P>
<H5>Kernels from kernel.org</H5>
 For kernels direct from Linus, without any distribution vendor's 
modifications, see the <A href="http://www.kernel.org/mirrors/">
kernel.org</A> mirror list, or go directly to <NOBR><VAR>
ftp.&lt;country&gt;.kernel.org</VAR>,</NOBR> with the appropriate two-letter 
country code inserted.
<H4>Once you've found a kernel</H4>
<P> Once you have found suitable kernel source, choose a mirror that is 
close to you and bookmark it.</P>
<P> Kernel source normally resides in <VAR>/usr/src/linux</VAR>, 
whether you load it from a distribution CD or download a tar file into <VAR>
/usr/src</VAR> and untar it there. Unless you both have unusual 
requirements and know exactly what you're doing, we recommend you put 
it there.</P>
<H3><A NAME="2_3_3">Getting FreeS/WAN</A></H3>
<P> You can download FreeS/WAN from our <A href="ftp://ftp.xs4all.nl/pub/crypto/freeswan/">
primary site</A> or one of our <A href="#sites">mirrors</A>. </P>
<P> Put the tarfile under <VAR>/usr/src</VAR> and untar it there. The 
command to use is: </P>
<UL>
<LI>tar -xzf freeswan*.gz </LI>
</UL>
<P> This will give you a directory <VAR>/usr/src/freeswan&lt;version&gt;</VAR>
.</P>
<P>Note that <STRONG>these methods don't work:</STRONG></P>
<UL>
<LI>putting freeswan under <VAR>/usr/src/linux</VAR>. The links become 
confused.</LI>
<LI>untarring in one place, then using <VAR>cp -R</VAR> to move it 
where you want  it. Some necessary symbolic links are not copied.</LI>
</UL>
<H3><A name="kconfig">Kernel configuration</A></H3>
<P> The gateway kernel must be configured before FreeS/WAN is added 
because some of our utilities rely on the results of configuration. </P>
<P><STRONG> Note for Redhat 7.1 users</STRONG>: If you are using the 
Redhat-supplied kernel, then you <STRONG>must do a <NOBR><VAR>make 
mrproper</VAR></NOBR></STRONG> command before starting the kernel 
configuration. This prevents some unpleasant interactions between 
Redhat's config and our patches. </P>
<P> On some distributions, you can get the configuration files for the 
vendor's standard kernel(s) off the CD, and use that. This allows you 
to skip this step; you need not configure the kernel if the vendor has <EM>
and you have the vendor's config file installed</EM>. Here is a mailing 
list message  describing the procedure for Redhat: </P>
<PRE>
Subject: Re: [Users] Do I need to recompile kernel 2.2.17-14?
   Date: Wed, 6 Jun 2001 08:38:38 -0500
   From: &quot;Corey J. Steele&quot; &lt;csteele@mtron.com&gt;

if you install the corresponding kernel-source-*.rpm, you can actually find
the config file used to build that kernel in /usr/src/linux/Configs, just
copy the one you want to use (based solely on architecture) to
/usr/src/linux/.config, and proceed!  It should work.
</PRE>
 If you have ever configured the kernel yourself on this machine, you 
can also skip this step. 
<P> If the kernel has not been configured, do that now. This is done by 
giving one of the following commands in <VAR>/usr/src/linux</VAR>:</P>
<DL>
<DT>make config</DT>
<DD>command-line interface</DD>
<DT>make menuconfig</DT>
<DD>text menus (requires curses(3) libraries)</DD>
<DT>make xconfig</DT>
<DD>using the X window system (requires X, not recommended for 
 gateways)</DD>
</DL>
<P> Any of these wiil do the job. If you have no established 
preference, we suggest trying <VAR>menuconfig</VAR>.</P>
<P> For more information on configuring your kernel, see our <A href="kernel.html">
section</A> on that topic.</P>
<H3><A name="inst-test">Install and test a kernel before adding 
FreeS/WAN</A></H3>
<P> You should compile, install and test the kernels as you have 
configured them, so that you have a known stable starting point. The 
series of commands involved is usually something like:</P>
<DL>
<DT>make menuconfig</DT>
<DD>choose kernel options, set up a kernel for your machine</DD>
<DT>make dep</DT>
<DD>find <STRONG>dep</STRONG>endencies between files</DD>
<DT>make bzImage</DT>
<DD>build a loadable kernel image, compressed with bzip(1)</DD>
<DT>make install</DT>
<DD>install it</DD>
<DT>make modules</DT>
<DD>build modules which can be added to a running kernel</DD>
<DT>make modules_install</DT>
<DD>install them</DD>
<DT>lilo</DT>
<DD>ensure that the boot loader sees your changes</DD>
</DL>
<P> Doing this first means that if there is a problem after you add 
FreeS/WAN, tracking it down is <EM>much</EM> simpler.</P>
<P> If you need advice on this process, or general Linux background 
information, try our <A href="#linux.link">Linux web references</A>. 
The most directly relevant document is the <A href="http://metalab.unc.edu/LDP/HOWTO/Kernel-HOWTO.html">
Kernel HowTo</A>.</P>
<H2><A name="building">Building and installing the software</A></H2>
<P> There are several ways to build and install the software. All 
require that you have kernel source, correctly configured for your 
machine, as a starting point. If you don't have that yet, see the <A href="#before">
previous section</A></P>
<P> Whatever method you choose, it will do all of the following: </P>
<UL>
<LI>add FreeS/WAN code to the kernel 
<UL>
<LI>insert patches into standard kernel code to provide an  interface</LI>
<LI>add additional files which use that interface</LI>
</UL>
</LI>
<LI>re-configure and re-compile the kernel to activate that code</LI>
<LI>install the new kernel</LI>
<LI>build the non-kernel FreeS/WAN programs and install them 
<UL>
<LI><A href="manpage.d/ipsec.8.html">ipsec(8)</A> in <VAR>
/usr/local/sbin</VAR></LI>
<LI>others in <VAR>/usr/local/lib/ipsec</VAR></LI>
</UL>
</LI>
<LI>install FreeS/WAN <A href="manpages.html">man pages</A> under <VAR>
 /usr/local/man</VAR></LI>
<LI>create the configuration file <A href="manpage.d/ipsec.conf.5.html">
ipsec.conf(5)</A>. Editing this file to  configure your IPSEC gateway 
is described in the <A href="config.html">next section</A>.</LI>
<LI>create an RSA public/private key pair for your system and place it 
in <A href="manpage.d/ipsec.secrets.5.html">ipsec.secrets(5)</A></LI>
<LI>install the initialisation script <VAR>/etc/rc.d/init.d/ipsec</VAR></LI>
<LI>create links to that script from the <VAR>/etc/rc.d/rc[0-6].d</VAR>
 directories so that each run  level starts or stops IPSEC. (If the 
previous sentence makes no sense to  you, try the <A href="http://www.linuxdoc.org/HOWTO/From-PowerUp-To-Bash-Prompt-HOWTO.html">
From  Power-up to Bash Prompt HowTo</A>).</LI>
</UL>
<P> You can do the whole install with two commands (recommended in most 
cases) or get into as much of the detail as you like.</P>
<H3><A name="allbut">Everything but kernel installation</A></H3>
<P> To do everything except install the new kernel, <VAR>cd</VAR> into 
the freeswan directory and become root. Give <STRONG>any one</STRONG>
 of the following commands:</P>
<DL>
<DT>make oldgo</DT>
<DD>Uses FreeS/WAN's default settings for some kernel configuration 
 options. Leaves all other options unchanged from your last kernel 
 configuration.</DD>
<DT>make ogo</DT>
<DD>Invokes <VAR>config</VAR> so you can configure the kernel from the 
 command line.</DD>
<DT>make menugo</DT>
<DD>Invokes <VAR>menuconfig</VAR> so you can configure the kernel with 
 text-mode menus.</DD>
<DT>make xgo</DT>
<DD>Invokes <VAR>xconfig</VAR> so you can configure the kernel in an X 
 window.</DD>
</DL>
<P> You must <STRONG>save the new configuration even if you make no 
changes</STRONG>. This ensures that the FreeS/WAN changes are actually 
seen by the system.</P>
<P> Our scripts save the output of <VAR>make</VAR> commands they call 
in files with names like <VAR>out.kbuild</VAR> or <VAR>out.kinstall</VAR>
. The last command of each script checks the appropriate <VAR>out.*</VAR>
 file for error messages.</P>
<UL>
<LI>If the last output you see is <VAR>make</VAR> saying it is calling 
our <VAR> errcheck</VAR> script, then all is well. There were no errors.</LI>
<LI>If not, an error has occurred. Check the appropriate <VAR>out.*</VAR>
 file for details.</LI>
</UL>
<P> For the above commands, the error files are <VAR>out.kpatch</VAR>
 and <VAR>out.kbuild</VAR>. </P>
<P> These scripts automatically build an <A href="#RSA">RSA</A>
 authentication key pair (a public key and the matching private key) 
for you, and put the result in <VAR>/etc/ipsec.secrets</VAR>. For 
information on using RSA authentication, see our <A href="config.html">
configuration section</A>. Here, we need only note that generating the 
key uses random(4) quite heavily and if random(4) runs out of 
randomness, <STRONG>it will block until it has enough input</STRONG>. 
You may need to provide input by moving the mouse around a lot, or 
going to another window and typing random characters, or using some 
command such as <VAR>du -s /usr</VAR> to generate disk activity.</P>
<H3><A name="newk">Installing the new kernel</A></H3>
<P>To install the kernel the easy way, just give this command in the 
FreeS/WAN directory:</P>
<DL>
<DT>make kinstall</DT>
<DD>Installs the new kernel and, if required, the modules to go with 
 it. Errors, if any, are reported in <VAR>out.kinstall</VAR></DD>
</DL>
<P> Using <VAR>make kinstall</VAR> from the FreeS/WAN directory is 
equivalent to giving the following sequence of commands in <VAR>
/usr/src/linux</VAR>:</P>
<UL>
<LI>make</LI>
<LI>make install</LI>
<LI>make modules</LI>
<LI>make modules_install</LI>
</UL>
<P>If you prefer that sequence, use it instead.</P>
<P> If you have some unusual setup such that the above sequence of 
commands won't work on your system, then our <VAR>make kinstall</VAR>
 will not work either. Use whatever method does work on your system. 
See our <A href="impl.notes">implementation notes</A> file for 
additional information that may help in such situations.</P>
<P>
<H3><A NAME="2_4_3">Make sure Lilo knows about the new kernel</A></H3>
<P> Check your lilo.conf(5) file to ensure it points to the right 
kernel, then run lilo(8) to read lilo.conf(5) and set up the bootloader.</P>
<H2><A name="testinstall">Testing to see if install succeeded</A></H2>
<P> To check that you have a sucessful install, you can reboot and 
check (by watching messages during boot or by looking at them later 
with dmesg(8)) that:</P>
<UL>
<LI>the kernel reports the right version. If not, you are likely still 
 running your old kernel. Check your lilo.conf(5) file and the 
installation  directory (defined in the kernel make file, often /boot 
but the default is  /), then rerun lilo(8).</LI>
<LI>KLIPS initialisation messages appear</LI>
<LI>Pluto reports that it is starting</LI>
</UL>
<P>You can also try the commands:</P>
<UL>
<LI><VAR>ipsec --version</VAR>, to test whether /usr/local/bin is in 
your  path so you can use IPSEC administration commands</LI>
<LI><VAR>ipsec whack --status</VAR>, using <A href="manpage.d#ipsec_whack.8.html">
ipsec_whack(8)</A> to ask Pluto for  status information</LI>
</UL>
<P> Of course any status information at this point should be 
uninteresting since you have not yet configured connections.</P>
<H2><A NAME="2_6">Where to go from here</A></H2>
<P>See the following section for information on <A href="config.html">
configuring connections</A>.</P>
<P>Alternately, you might want to look at background material on the <A href="ipsec.html">
protocols used</A> before trying configuration.</P>
<HR>
<H1><A name="setup">Configuration</A></H1>
<P>This section describes setting up and testing Linux FreeS/WAN.</P>
<P>Before attempting this, you should:</P>
<UL>
<LI>look at our <A href="intro.html">introduction</A> section. We 
assume here  that you understand concepts and terms described there.</LI>
<LI>ensure that FreeS/WAN is installed on your system. See these links: 
<UL>
<LI><A href="#testinstall">testing</A> whether FreeS/WAN is  installed</LI>
<LI>performing an <A href="install.html">installation</A></LI>
</UL>
</LI>
</UL>
<P> You also need to set up and test IP networking on all the machines 
you plan to install FreeS/WAN on or to use in testing, before trying to 
set up FreeS/WAN. This is discussed in more detail after the 
description of our example networks.</P>
<H2><A name="example">Our example networks</A></H2>
<P> For our examples, we assume that there are only three networks 
involved, two that want to talk to each other plus the Internet in the 
middle. The idea is to build an encrypted tunnel across the Internet so 
the two networks can talk securely. Once you have this working between 
two network gateways, extending it to three or more is straightforward.</P>
<P> In our examples, we'll call the two gateways East and West. We'll 
have only one client machine on each net: Sunrise in the East and 
Sunset in the West.</P>
<P>A diagram:</P>
<PRE>
     Sunset==========West------------------East=========Sunrise
           local net       untrusted net       local net
</PRE>
<P> Our goal here is to tell you how to set up the two gateways, East 
and West. We assume your goal is to ensure that East and West encrypt 
all traffic between them, or at least all that your security policies 
require them to encrypt.</P>
<P> Of course one does not always have a security gateway separate from 
the client machine. Especially for road warriors, a network that looks 
like this is common:</P>
<PRE>
                                           telecommuter's PC or
       corporate LAN                       traveller's laptop
     Sunset==========West------------------East
           local net       untrusted net
</PRE>
<P>and this is possible:</P>
<PRE>
                     West------------------East
                           untrusted net
</PRE>
<P> In our configuration files, and in this discussion, we treat the 
two simpler setups as degenerate cases of the network-to-network link. 
For all the diagrams above, for example, we speak of &quot;the subnet behind 
East&quot;. In two of the diagrams, of course, that &quot;subnet&quot; is just the 
machine itself.</P>
<P> This may take some getting used to, but we hope it is less 
confusing than continually having to say things like &quot;the subnet behind 
East (or the East machine itself if there is no client subnet)&quot;.</P>
<H2><A name="testnet">Configuration for a testbed network</A></H2>
<P>Many users just want to get IPSEC installed on a few machines. They 
can skip this section.</P>
<P>Others may want to build a testbed network, for any of a number of 
reasons. For them, we have some suggestions.</P>
<P> The ideal test setup for IPSEC is something like:</P>
<PRE>
        Sunset==========West-----eth0    eth1-----East=========Sunrise
              local net          test machine         local net
</PRE>
<P> The test machine routes packets between the two gateways. This 
makes things more complicated than if you just connected the two 
gateway machines directly to each other, but it also makes your test 
setup much more like the environment you actually use IPSEC in. Those 
environments nearly always involve routing, and quite a few apparent 
IPSEC failures turn out to be problems with routing or with firewalls 
dropping packets. This approach lets you deal with those problems on 
your test setup.</P>
<P> Also, the test machine is in the ideal position to run diagnostic 
software (such as tcpdump(8)) for checking IPSEC packets. Such software 
is likely to misbehave if run on the gateways themselves. It is 
designed to look into a normal IP stack and may become confused if you 
ask it to display data from a stack which has IPSEC in play.</P>
<P> For more detailed testbed information see these <A href="mail.html">
mailing list</A> messages: </P>
<UL>
<LI>a user's detailed <A href="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/11/msg00571.html">
setup diary</A> for his testbed network </LI>
<LI>a FreeS/WAN team member's <A href="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/11/msg00425.html">
notes</A> from testing at an IPSEC interop &quot;bakeoff&quot; </LI>
</UL>
<H2><A name="setupnet">Set up and test networking</A></H2>
<P> Before trying to get FreeS/WAN working, you should configure and 
test IP networking on both gateways and on at least one client machine 
behind each of them. <STRONG>IPSEC cannot work without a working IP 
network beneath it.</STRONG> Many reported &quot;FreeS/WAN problems&quot; turn 
out to actually be problems with routing or firewalling. If any actual 
IPSEC problems turn up, you often cannot even recognise them (much less 
debug them) unless the underlying network is right.</P>
<P>If you need advice on this, your best sources are likely:</P>
<UL>
<LI>the <A href="http://www.linuxdoc.org/HOWTO/Net-HOWTO/index.html">
Networking Howto</A></LI>
<LI>the <A href="http://www.linuxdoc.org/LDP/nag2/index.html">Network 
 Administrator's Guide</A>.</LI>
<LI>the <A href="http://netfilter.kernelnotes.org/unreliable-guides/networking-concepts-HOWTO/index.html">
Linux  Networking-concepts HOWTO</A> from Rusty Russell, author of most 
of the  Linux firewalling code</LI>
</UL>
<P> See also our <A href="biblio.html">bibliography</A>. </P>
<P>Here is our network diagram again:</P>
<PRE>
        Sunset==========West------------------East=========Sunrise
              local net       untrusted net       local net
</PRE>
<P> The client machines, Sunrise and Sunset in our example, may have 
assigned <A href="#routable">routable</A> IP addresses, or they may be 
using private <A href="#non-routable">non-routable</A> addresses (as 
defined in RFC 1918) with the gateways doing <A href="#masq">IP 
masquerade</A>. It doesn't matter which, as long as whatever it is 
works correctly.</P>
<P>Note, however, that the two subnets must have distinct addresses. 
You cannot have them both masqueraded to the same range of RFC 1918 
addresses.</P>
<UL>
<LI>If Sunrise and Sunset have routable IP addresses, test that they 
can  ping each other.</LI>
<LI>If IP masquerading is in use, test as far as you can. For example, 
if  Sunset is masqueraded behind West then Sunrise cannot ping Sunset 
but  should be able to ping West. Whether Sunset can ping Sunrise, 
assuming  Sunrise is not masqueraded, would depend on whether West's 
rules let ICMP  packets through. If not, you should adjust those rules.</LI>
</UL>
<P>In any case, it is not enough to just test that East and West can 
communicate.</P>
<H3><A name="forward">Enabling packet forwarding</A></H3>
<P> Some systems turn off packet forwarding by default, even for 
kernels in which it has been enabled. This is the safe default. You 
don't want systems forwarding packets in uncontrolled ways. </P>
<P> To turn forwarding on temporarily, use the following command as 
root: </P>
<PRE>
         echo &quot;1&quot; &gt; /proc/sys/net/ipv4/ip_forward
</PRE>
 Turning it on permanently is also possible. The exact method varies 
from distribution to distribution: 
<DL>
<DT>Older Readhat </DT>
<DD>in the file <VAR>/etc/sysconfig/network</VAR>, set <VAR>
 FORWARD_IPV4=yes </VAR></DD>
<DT>Redhat 6.x and 7.0 </DT>
<DD>in the file <VAR>/etc/sysconfig/network</VAR>, set <VAR>
 net.ipv4.ip_forward=1 </VAR></DD>
<DT>Debian r2.2 systems (and most likely Debian r2.2 derived systems): </DT>
<DD>in the file <VAR>/etc/network/options</VAR>, set <VAR>
 ip_forward=yes </VAR></DD>
</DL>
<P> A gateway machine needs forwarding enabled or it will not route 
packets between the two networks it is attached to. The simplest way to 
ensure this is to enable forwarding using whatever method your 
distribution provides. See list above. </P>
<P> A more conservative approach is to disable forwarding in your 
system configuration, then enable from your boot scripts after 
appropriate firewall scripts are in place. </P>
<H3><A name="othersoft">Other software</A></H3>
<P> Configure and test any other software you will want to use for 
testing once IPSEC is up. For example, you might put an HTTP daemon on 
Sunset and a browser on Sunrise. Make sure these work without IPSEC.</P>
<P>If these tests fail, figure out why and fix it. <STRONG>Do not 
proceed until it works.</STRONG></P>
<H2><A name="rtfm">RTFM (please Read The Fine Manuals)</A></H2>
<P> As with most things on any Unix-like system, most parts of Linux 
FreeS/WAN are documented in online manual pages. We provide a list of <A href="manpages.html">
FreeS/WAN man pages</A>, with links to HTML versions of them. </P>
<P> The man pages describing configuration files are: </P>
<UL>
<LI><A href="manpage.d/ipsec.conf.5.html">ipsec.conf(5)</A></LI>
<LI><A href="manpage.d/ipsec.secrets.5.html">ipsec.secrets(5)</A></LI>
</UL>
<P> Man pages for commands used in this document include:</P>
<UL>
<LI><A href="manpage.d/ipsec.8.html">ipsec(8)</A></LI>
<LI><A href="manpage.d/ipsec_pluto.8.html">ipsec_pluto(8)</A></LI>
<LI><A href="manpage.d/ipsec_rsasigkey.8.html">ipsec_rsasigkey(8)</A></LI>
<LI><A href="manpage.d/ipsec_auto.8.html">ipsec_auto(8)</A></LI>
<LI><A href="manpage.d/ipsec_manual.8.html">ipsec_manual(8)</A></LI>
</UL>
<P> You can read these either in HTML using the links above or with the <VAR>
man(1)</VAR> command.</P>
<P>
<H2><A name="usersakey">Setting up RSA authentication keys</A></H2>
<P> RSA keys come in matched pairs. Each pair includes:</P>
<UL>
<LI>a <STRONG>public key</STRONG> which need not be kept secure. 
Everyone  you plan to communicate with must be able to get a copy of 
this. It does  not matter if an enemy gets it as well.</LI>
<LI>a <STRONG>private key</STRONG> which must be kept secure. No-one 
but  you should have access to it. </LI>
</UL>
<P> For FreeS/WAN, both keys for your system are in the <A href="manpage.d/ipsec.secrets.5.html">
ipsec.secrets(5)</A> file. <STRONG>Maintaining security of this file is 
essential</STRONG> since it holds your private key.</P>
<P> Public keys for systems you communicate with are placed in <A href="manpage.d/ipsec.conf.5.html">
ipsec.conf(5)</A>. Security here is less vital (unless you are using 
manual keying as well, in which case the file may have secret keys). It 
does not matter if an enemy knows the public keys, as long as the 
private keys are protected.</P>
<H3><A name="genrsakey">Generating an RSA key pair</A></H3>
<P> If you installed FreeS/WAN yourself, then the installation process 
has already generated an RSA key pair for you and placed it in the <A href="manpage.d/ipsec.secrets.5.html">
ipsec.secrets(5)</A> file.</P>
<P>If not, you need to:</P>
<UL>
<LI>Generate an RSA key pair (private and public) using <A href="manpage.d/ipsec_rsasigkey.8.html">
 ipsec_rsasigkey(8)</A>.</LI>
<LI>Put the private key in <A href="manpage.d/ipsec.secrets.5.html">
ipsec.secrets</A>,  with a wrapper. The result looks like this: </LI>
<PRE>
: RSA {
      &lt;stuff generated by rsasigkey&gt;

      }
</PRE>
 Note that: 
<UL>
<LI>the &quot;:&quot; must be unindented (at the margin)</LI>
<LI>the other lines, including the &quot;}&quot;, must be indented (not at the 
 margin)</LI>
<LI>spaces are needed to separate tokens so, for example, &quot;:RSA{&quot; 
 won't work.</LI>
</UL>
</UL>
<P> This means &quot;always use this as my private RSA key&quot;. For other 
options,  for example if you want to use different keys with different 
partners,  see the man pages.</P>
<P> The RSA keys we generate are suitable <STRONG>only</STRONG> for 
authentication, not for encryption. IPSEC uses them only for 
authentication. See our <A href="ipsec.html">IPSEC</A> section for 
details.</P>
<P> It is also possible to use keys in other formats, not generated by 
FreeS/WAN. This may be necessary for interoperation with other IPSEC 
implementations. See our links to <A href="web.html#patches">patches</A>
 which add support for keys generated by PGP or embedded in X.509 
certificates.</P>
<H3><A name="keyexchange">Exchanging authentication keys</A></H3>
<P> The next step is to send your public key to everyone you need to 
set up connections with, and collect their public keys.  The public key 
is the line in the output of rsasigkey starting &quot;#pubkey=0x&quot;.</P>
<P> Public keys need not be protected as fanatically as private keys. 
They are intended to be made public; the system is designed to work 
even if an enemy knows all the public keys used.</P>
<P> Note, however, that <STRONG>authentication of public keys is 
critical</STRONG>. It does not matter if an enemy knows your public 
keys, but if you can be tricked into trusting a public key supplied by 
an enemy, you are in deep trouble.</P>
<P> For example, consider the fellow who wants to communicate with his 
mistress, keeping messages secret from his wife. </P>
<UL>
<LI>If the wife obtains the mistress' public key, that is not a 
problem. As long as she does not get the private key, she can neither 
read things sent to the mistress nor authenticate herself as the 
mistress.</LI>
<LI>If the mistress has any sense, she protects her private key 
carefully. So long as she does that, and the husband encrypts his 
messages correctly, there should be no (cryptographic!) problem.</LI>
<LI>However, imagine that the wife is somewhat devious. She generates a 
public/private key pair and sends the husband that public key, forging 
the message to look as if it came from the mistress. Of course this 
fails if the husband has enough sense to check the key's validity 
before using it.</LI>
<LI>However, if the husband blindly <EM>accepts that key without 
verification</EM>, it is <EM>extremely</EM> unlikely that he will be 
pleased with the results.</LI>
<LI>If he accepts that key, the wife can read every message he sends to 
it. </LI>
<LI>She can also pose as the mistress and send him whatever messages 
she likes. </LI>
</UL>
<P> You <STRONG>must authenticate any public keys received</STRONG>
 before using them. For remote sites, the simplest method is to 
exchange them using PGP-signed email (taking appropriate steps to 
authenticate the signing keys). For nearby machines, a floppy disk or 
trusted network is fine.</P>
<H3><A name="useRSA">Using RSA signatures for authentication</A></H3>
<P> For each system you will communicate with, you need an RSA public 
key and an identifier associated with it. The identifiers go in the <VAR>
leftid=</VAR> and <VAR>rightid=</VAR> lines of connection descriptions 
in <VAR>ipsec.conf(5)</VAR>. They are the names the  systems use to 
identify themselves during connection negotiation.</P>
<P> There are four possible forms for these identifiers:</P>
<UL>
<LI>an IP address in dotted quad notation, four numbers separated by 
 periods (10.1.19.32).</LI>
<LI>a domain name, which will be resolved immediately 
 (bad.example.com).</LI>
<LI>a fully qualified domain name (FQDN) with a leading &quot;@&quot; to 
 indicate that it should not be resolved (@good.example.com)</LI>
<LI>user@FQDN (fred@example.com)</LI>
</UL>
<P> We recommend that only the @FQDN form be used in most applications. 
IP  addresses make remarkably uninteresting names. Resolving a name to 
an IP  address is not interesting in this context, and attempting to 
resolve it  may cause problems if DNS is down or if someone subverts a 
DNS server  which you rely on. </P>
<P> If your domain is example.com, the names you use should be of three 
 types:</P>
<UL>
<LI>machine names such as &quot;@firewall.example.com&quot;.</LI>
<LI>names for other resources, chosen not to conflict, such as 
 &quot;@fireplug.example.com&quot;</LI>
<LI>identifiers for people (actually for their road warrior machines), 
 such as &quot;@alice.example.com&quot; or, if she  prefers, 
&quot;@cleopatra.example.com&quot;.</LI>
</UL>
<P> In order to facilitate distributing keys through DNS, we recommend 
 avoiding </P>
<UL>
<LI>names from non-existent domains</LI>
<LI>names from other people's domains</LI>
<LI>names which conflict with machine names in your domain</LI>
<LI>user@FQDN</LI>
</UL>
<P> For example, if you have a server alice.example.com, then you 
should not  use  &quot;@alice.example.com&quot; to identify Alice's laptop for 
IPSEC.</P>
<H2><A name="basic.conf">The configuration file</A></H2>
<P>FreeS/WAN uses a configuration file, <A href="manpage.d/ipsec.conf.5.html">
ipsec.conf(5)</A>.</P>
 This section describes setting up the parts of that file that apply to 
all connections: 
<DL>
<DT><VAR>config setup</VAR> section</DT>
<DD>describes machine configuration</DD>
<DT><VAR>conn default</VAR> section</DT>
<DD>default parameters which apply to all connections</DD>
</DL>
<P> and gives an introduction to the parts of the file that specify the 
actual connections. The following section covers setting up three 
common types of connection, all using automatic keying with RSA 
authentication of the gateways:</P>
<DL>
<DT>conventional VPN</DT>
<DD>two security gateways, each with a known fixed IP address and with 
a  network of client machines behind it</DD>
<DT>Road Warrior</DT>
<DD>one player has a dynamically-assigned address</DD>
<DT>opportunistic encryption</DT>
<DD>the two machines have no prior knowledge of each other, but are set 
 up to secure connections whenever possible</DD>
</DL>
<P>Setup is quite similar for each of these, but details differ.</P>
<P>Other types of connections are covered in later sections.</P>
<P>The easiest way to create a connection is by editing one of our 
examples.  Here we will use the one in the installation <A href="manpage.d/ipsec.conf.5.html">
ipsec.conf</A> file. You could also start  with one from our <A href="examples">
doc/examples</A> file if one of those  is closer to what you need to do.</P>
<H3><A name="setup.conf">The setup section of ipsec.conf(5)</A></H3>
<P>The first section of <A href="manpage.d/ipsec.conf.5.html">
ipsec.conf(5)</A> contains overall setup  parameters for IPSEC, which 
apply to all connections. In our example file,  it is:</P>
<PRE>
# basic configuration
config setup
        # THIS SETTING MUST BE CORRECT or almost nothing will work;
        # %defaultroute is okay for most simple cases.
        interfaces=%defaultroute
        # Debug-logging controls:  &quot;none&quot; for (almost) none, &quot;all&quot; for lots.
        klipsdebug=none
        plutodebug=none
        # Use auto= parameters in conn descriptions to control startup actions.
        plutoload=%search
        plutostart=%search
        # Close down old connection when new one using same ID shows up.
        uniqueids=yes
</PRE>
<P>The variables set here are:</P>
<DL>
<DT>interfaces</DT>
<DD>Tells the <A href="#KLIPS">KLIPS</A> IPSEC code in the Linux kernel 
 which network interface to use. The interfaces specified here are the 
 only ones this gateway machine will use to communicate with other 
 IPSEC gateways. <STRONG>If this is not correct, nothing  works.</STRONG>
</DD>
<P>In many cases, the appropriate interface is just your default 
 connection to the world (the Internet, or your corporate network). In 
 these cases, you can use the default setting:</P>
<UL>
<LI>interfaces=%defaultroute</LI>
</UL>
<P> To check what FreeS/WAN sees as the default route, you can use the 
 command <VAR>ipsec showdefaults</VAR>. You may need to compare this 
 with the output from <VAR>route -n</VAR> to get a more complete 
 picture. </P>
<P>In other cases, you can name one or more specific interfaces to be 
 used by FreeS/WAN. For example:</P>
<UL>
<LI>interfaces=&quot;ipsec0=eth0&quot;</LI>
<LI>interfaces=&quot;ipsec0=eth0 ipsec1=ppp0&quot;</LI>
</UL>
 Both tell KLIPS to use eth0 as ipsec0. The second one also supports 
 IPSEC over PPP. 
<P>Note that</P>
<UL>
<LI>Multiple tunnels do not require multiple interfaces. It is 
 possible, and even common, to have one ipsec interface carrying 
 traffic for many tunnels.</LI>
<LI>For PPP connections, you specify the virtual PPP interface (for 
 example <VAR>ppp0</VAR>) here, <STRONG>not</STRONG> the underlying 
 physical interface.</LI>
</UL>
<P>If you need to discover interface names, use the command:</P>
<PRE>        ifconfig</PRE>
 If you have PCMCIA or other interfaces that are not available at boot 
 time, special measures are required. See our <A href="#dynamic">section</A>
 on that.
<DT>klipsdebug</DT>
<DD>Debugging setting for the KLIPS kernel code</DD>
<DT>plutodebug</DT>
<DD>Debugging setting for the Pluto key and connection negotiation 
 daemon. </DD>
<P><VAR>klipsdebug</VAR> and <VAR>plutodebug</VAR> can each be set to 
 &quot;none&quot; or to &quot;all&quot; in most circumstances. There are other options; see 
 the relevant man pages.</P>
<DT>plutoload</DT>
<DD>List of connections to be automatically loaded into memory when 
 Pluto starts.</DD>
<DT>plutostart</DT>
<DD>List of connections to be automatically negotiated when Pluto 
 starts. </DD>
<P><VAR>plutoload</VAR> and <VAR>plutostart</VAR> can be quoted lists 
 of connection names, but are often set to <VAR>%search</VAR> as in our 
 example. Any connection with <VAR>auto=add</VAR> in its connection 
 definition is then loaded, and any connection with <VAR> auto=start</VAR>
 is started.</P>
<P>In most cases, you want <VAR>plutostart=%search</VAR> here and <VAR>
 auto=start</VAR> in your connection descriptions. That way when a 
 connection is broken, for example if one machine crashes or is taken 
 down for some reason, it will be reliably rebuilt. If only one end is 
 told to start the connection, then if the other end crashes, you may 
 lose the connection for a long time. The end that could rebuild does 
 not know it needs to.</P>
<P>The exception to the above is when you have many road warriors 
 connecting to a single gateway. Having the gateway trying to rebuild 
 tunnels to systems which are offline can waste considerable resources. 
 In this case, the gateway should have <VAR>auto=add</VAR> for all 
 connections, and let the remote systems start negotiations.</P>
<DT>uniqueids</DT>
<DD>Controls whether two connections with the same subnet on the 
 remote end are allowed. Normally this is set to <VAR>yes</VAR> so that 
when a remote system disconnects and reconnects, Pluto  will 
automatically take the old connection down. </DD>
</DL>
<H3><A name="conn.default">Connection defaults</A></H3>
<P> There is a special name %default that lets you define things that 
apply to all connections. e.g. our example file has:</P>
<PRE>
# defaults for subsequent connection descriptions
conn %default
        # How persistent to be in (re)keying negotiations (0 means very).
        keyingtries=0
        # How to authenticate gateways
        authby=rsasig
</PRE>
<P>Variables set here are:</P>
<DL>
<DT>keyingtries</DT>
<DD>How persistent to be in (re)keying negotiations (0 means very). </DD>
<P>For testing, you might wish to set this to some small number, 
 perhaps even to 1, to avoid wasting resources on incorrectly set up 
 connections. In production, it is often set to zero (retry forever). 
 Keeping the connection up is what machine resources are for, so if a 
 connection is down you night as well waste resources retrying as waste 
 them by sitting idle. Of course some caution should be exercised with 
 this, since it can waste network resources as well.</P>
<DT>authby=rsasig</DT>
<DD>authenticate gateways using RSA signatures. This is the preferred 
 method and is what we will use in this section's examples. An 
 alternate method is to use <A href="#prodsecrets">shared  secrets</A>.</DD>
</DL>
<P>Once you are finished testing, you can  edit these defaults, adding 
 anything that is standard for all gateways in your organisation.</P>
<P> Previous versions of this document said: <BLOCKQUOTE> Note, 
however, that setting the <VAR>auto=</VAR> parameter in the default 
 connection description <STRONG>does not work</STRONG>. You cannot use <VAR>
 auto=start</VAR> here to get all connections started automatically or <VAR>
 auto=add</VAR> to get them all loaded. You must set that in the 
 individual connection descriptions. </BLOCKQUOTE> This restriction has 
been removed in FreeS/WAN 1.9. However, if the other end of the tunnel 
is an older version, the restriction will still apply there, so some 
caution is still required. </P>
<H3><A name="edit.conn">Editing a connection description</A></H3>
<P>Edit our example connection to match what you want to do.  Rename it 
 appropriately for the connection you would like to build: 
&quot;fred-susan&quot;,  &quot;reno-van&quot; or whatever. The name is the second string in 
the line that  begins with &quot;conn&quot;, for example in:</P>
<PRE>
        conn snt
</PRE>
<P> The connection name is &quot;snt&quot; (<STRONG>s</STRONG>ub<STRONG>n</STRONG>
et <STRONG>t</STRONG>unnel) and to define another connection you make a 
copy with a new name such as:</P>
<PRE>
        conn reno-van
</PRE>
<P> A sample connection description is:</P>
<PRE>
# sample tunnel
# The network here looks like:
#   leftsubnet====left----leftnexthop......rightnexthop----right====rightsubnet
# If left and right are on the same Ethernet, omit leftnexthop and rightnexthop.
conn sample
        # left security gateway (public-network address)
        left=10.0.0.1
        # next hop to reach right
        leftnexthop=10.44.55.66
        # subnet behind left (omit if there is no subnet)
        leftsubnet=172.16.0.0/24
        # right s.g., subnet behind it, and next hop to reach left
        right=10.12.12.1
        rightnexthop=10.88.77.66
        rightsubnet=192.168.0.0/24
        auto=start</PRE>
 We omit here the variables we have shown as set in the default 
connection  above. All of them could also be set here. If they are set 
in both places,  settings here take precedence. Defaults are used only 
if the specific  connection description has no value set. 
<P>The network described above looks like this:</P>
<PRE>
         subnet 172.16.0.0/24              =leftsubnet
                |
         interface 172.16.0.something
            left gateway machine
         interface 10.0.0.1                =left
                 |
         interface 10.44.55.66             =leftnexthop
              router
         interface we don't know
                 |
            INTERNET
                 |
         interface we don't know
              router
         interface 10.88.77.66             =rightnexthop
                 |
         interface 10.12.12.1              =right
            right gateway machine
         interface 192.168.0.something
                 |
         subnet 192.168.0.0/24             =rightsubnet</PRE>
 You need to edit the connection description, inserting appropriate IP 
 addresses and subnet descriptions so that it describes your network. 
<P>In most cases, you should use numeric IP addresses, not names, here. 
The  file syntax allows names to be used, but this creates an 
additional risk. If  someone can subvert the DNS service, then they can 
redirect packets whose  addresses are looked up via that service.</P>
<P> Many of the variables in this file come in pairs such as 
&quot;leftsubnet: and &quot;rightsubnet&quot;, one for each end of the connection. The 
variables on the left side are:</P>
<DL>
<DT>left</DT>
<DD>The gateway's external interface, the one it uses to talk to the 
 other gateway. This can be <VAR>left=%defaultroute</VAR>.</DD>
<DT>leftnexthop</DT>
<DD>Where left should send packets whose destination is right, 
typically  the first router in the appropriate direction. </DD>
<P>This need not always be set.</P>
<UL>
<LI>If the two gateways are directly linked (packets can go from one 
 to the other without IP routing by any intermediate device) then  you 
need not set either <VAR>leftnexthop</VAR> or <VAR> rightnexthop</VAR>.</LI>
<LI>a connection with <VAR>left=%defaultroute</VAR> or <VAR>
 right=%defaultroute</VAR> must not have the corresponding <VAR> nexthop</VAR>
 parameter set</LI>
</UL>
 However, <EM>in all other cases</EM>, you <EM>must</EM> provide 
 nexthop information. KLIPS (Kernel IP Security) bypasses the normal 
 routing machinery, so you must give KLIPS the information even though 
 routing already knows it. 
<P>(Yes, we know that design is not ideal, and we plan to change it. 
 See extensive discussions on the <A href="mail.html">mailing list</A>, 
 mostly with &quot;routing&quot; or &quot;KLIPS 2&quot; in the subject  lines.)</P>
<DT>leftsubnet</DT>
<DD>Addresses for the machines which left is protecting. 
<UL>
<LI>Often something like 101.202.203.0/24 to indicate that a subnet 
 resides behind left. Often this subnet will be directly connected  to 
left, but this not necessary. The only requirement is that left  must 
be able to route to it.</LI>
<LI>If you omit the leftsubnet line, then left is both the security 
 gateway and the only client on that end.</LI>
</UL>
 For some applications, you may want to create two connections, one to 
 protect traffic from the subnet behind left and another to protect 
 traffic from the left gateway itself. This takes two connection 
 descriptions. See <A href="#multitunnel">below</A>.</DD>
<DT>leftfirewall</DT>
<DD>Set to &quot;yes&quot; if there is a firewall in play that suppresses 
 forwarding, for example if a subnet behind left uses non-routable 
 addresses and left does <A href="#masq">IP masquerade</A> for them. 
 This will cause <A href="manpage.d/ipsec_pluto.8.html">Pluto</A> to 
invoke our default script to adjust the firewall as required. </DD>
<P> For more detail, including ways to invoke your own customised 
 script instead, see our <A href="firewall.html">FreeS/WAN and firewalls</A>
 section.</P>
<DT>auto</DT>
<DD>If the <VAR>conn setup</VAR> section has <VAR> plutoload=%search</VAR>
, then all connections marked <VAR> auto=add</VAR> are loaded when 
Pluto starts. </DD>
<P> If the <VAR>conn setup</VAR> section has <VAR> plutostart=%search</VAR>
, then all connections marked <VAR> auto=start</VAR> are started when 
Pluto starts.</P>
<P> Initially, we suggest using <VAR>auto=add</VAR> on  all 
connections. This lets you start them manually during  testing. Once 
they are tested, you can change many of them  to <VAR>auto=start</VAR>. </P>
</DL>
<P>For each left* parameter, there is a corresponding right* parameter.</P>
<P>Note that <EM>a connection to a subnet behind left does not include 
left  itself</EM>. The tunnel described above protects packets going <EM>
from one  subnet to the other</EM>. It does not apply to packets which 
either begin or  end their journey on one of the gateways. If you need 
to protect those  packets, you must build separate tunnel descriptions 
for them.</P>
<P>It is a common error to attempt testing a subnet-to-subnet 
connection by  pinging from one of the gateways to the far end or vice 
versa. <STRONG>This  does not work</STRONG>, even if the connection is 
functioning perfectly,  because <EM>traffic to or from the gateway 
itself is not sent on that  connection</EM>. If you want to protect 
traffic originating or terminating  on the gateway, then you need a 
separate tunnel for that in addition to the  subnet's tunnel. See the 
section on <A href="#multitunnel">multiple  tunnels</A> below.</P>
<H3><A name="which">Which is which?</A></H3>
<P>Which security gateway is &quot;left&quot; and which is &quot;right&quot; is arbitrary.</P>
<P>We suggest that you name connections by their ends. For example, 
name the  link between Fred and Susan's machines &quot;fred-susan&quot; or the 
link between your  Reno and Vancouver offices &quot;reno-van&quot;. You can then 
let &quot;left&quot; refer to the  left half of the name, &quot;fred&quot; or &quot;reno&quot; in our 
examples, and &quot;right&quot; to the  other half.</P>
<P>To simplify administration, we recommend that you <STRONG>use the 
same  names</STRONG> in the <VAR>ipsec.conf</VAR> files <STRONG>on both 
ends</STRONG>.  The name &quot;reno&quot;, for example, should refer to the 
machine in Reno, no matter  which city the file is in, and if &quot;reno&quot; is 
&quot;left&quot; in the reno-van description  in Reno, then &quot;reno&quot; should be 
&quot;left&quot; in that description on the Vancouver  machine as well. </P>
<P> Then when you copy the file from one machine to the other, the <EM>
only</EM> change you should make on the second machine is changing the <VAR>
 interfaces=</VAR> line to match the interface that machine  uses for 
IPSEC.</P>
<P> Of course the software does not actually require this. The names 
are just arbitrary strings to it. If your administrator in Reno wants 
to refer to the machines as &quot;Phobos&quot; and &quot;Demios&quot; while the Vancouver 
admin calls them &quot;George&quot; and &quot;Gracie&quot;, things should still work.</P>
<H2><A name="examples">Example setups</A></H2>
<P> In this section we show examples of three common setups: </P>
<UL>
<LI>a VPN connection </LI>
<LI>road warrior support </LI>
<LI>opportunistic encryption </LI>
</UL>
<P> We use a, b, c ... to indicate components of IP addresses. Each 
letter is some number in the range 0 to 255, inclusive.</P>
<P> For additional examples, see our <A href="examples">examples</A>
 file.</P>
<H3><A name="VPNex">VPN</A></H3>
<P> In this example, the network looks like this:</P>
<PRE>
         subnet a.b.c.0/24                 =leftsubnet
                |          (head office has routable IP addresses)
         interface a.b.c.d
            left gateway machine
         interface e.f.g.h                 =left
                 |         (external address outside a.b.c.0 subnet)
         interface e.f.g.i               =leftnexthop
              router
         interface we don't know
                 |
            INTERNET
                 |
         interface we don't know
              router
         interface j.k.l.m                =rightnexthop
                 |
         interface j.k.l.n                =right
            right gateway machine
         interface 192.168.0.something
                 |        (branch office uses private IP addresses)
         subnet 192.168.0.0/24             =rightsubnet
</PRE>
<P> The ipsec.conf(5) file might look like this (with RSA keys 
shortened for easy display):</P>
<PRE>
# basic configuration
config setup
        interfaces=eth0
        klipsdebug=none
        plutodebug=none
        plutoload=%search
        plutostart=%search

# defaults that apply to all connection descriptions
conn %default
        # How persistent to be in (re)keying negotiations (0 means very).
        keyingtries=0
        # How to authenticate gatways
        authby=rsasig

# VPN connection for head office and branch office
conn head-branch
        # identity we use in authentication exchanges
        leftid=@head.example.com
        leftrsasigkey=0x175cffc641f...
        # left security gateway (public-network address)
        left=e.f.g.h
        # next hop to reach right
        leftnexthop=e.f.g.i
        # subnet behind left (omit if there is no subnet)
        leftsubnet=a.b.c.0/24
        # right s.g., subnet behind it, and next hop to reach left
        rightid=@branch.example.com
        rightrsasigkey=0xfc641fd6d9a24...
        right=j.k.l.n
        rightnexthop=j.k.l.m
        rightsubnet=192.168.0.0/24
        # right is masquerading
        rightfirewall=yes
        auto=start
</PRE>
<P> The versions of this file at the two ends should be identical, 
except that each must have an <VAR>interfaces=</VAR> line appropriate 
for the local machine.</P>
<H4><A name="route_or_not">Routable and non-routable addresses</A></H4>
<P> RFC 1918 reserves three groups of addresses for use on private 
networks: </P>
<UL>
<LI>10.0.0.0/8 </LI>
<LI>172.16.0.0/12 </LI>
<LI>192.168.0.0/16 </LI>
</UL>
<P> Addresses in these ranges will never be assigned to anything on the 
Internet. Many routers automatically drop any packet with one of these 
addresses as either source or destination. </P>
<P> You can use FreeS/WAN to route between two such networks, using for 
example <VAR>leftsubnet=192.168.47.0/24</VAR> and <VAR>
rightsubnet=192.168.48.0/24</VAR>. These addresses still do not appear 
on the Internet; they are encapsulated inside IPSEC packets which have 
the gateways' external addresses (from the <VAR>left</VAR> and <VAR>
right</VAR> parameters of the connection description) in their headers. </P>
<H3><A name="roadex">Road Warrior</A></H3>
<P> For our purposes, a &quot;road warrior&quot; is any machine that does not 
have a fixed IP address where it can normally be expected to be on 
line. This includes:</P>
<UL>
<LI>a traveller who might connect from anywhere</LI>
<LI>any machine that has a dynamic IP address -- nearly all dialup 
connections and most DSL or cable modem connections, at least in North 
America</LI>
<LI>most home machines connecting to the office. If you have a home 
firewall that is always left on and has a static IP address, then you 
can use the <A href="#VPNex">VPN</A> configuration described above. 
Otherwise, consider yourself a road warrior.</LI>
</UL>
<P> The configuration for road warrior support looks slightly different 
from a VPN configuration. We cannot use the road warrior's IP address 
in the configuration file since we don't know it, and we don't want to 
have our server retrying connections to road warriors that are no 
longer online.</P>
<P> In this example, the network looks like this:</P>
<PRE>
         subnet a.b.c.0/24               =leftsubnet
                |          (head office has routable IP addresses)
         interface a.b.c.d
            left gateway machine
         interface e.f.g.h               =left
                 |         (external address outside a.b.c.0 subnet)
         interface e.f.g.i               =leftnexthop
              router
                 |
            INTERNET
                 |
     interface with dynamic IP address
          road warrior machine
</PRE>
<P> Here the ipsec.conf(5) files on the two ends are slightly 
different. The one at the office might have exactly the same <VAR>
config setuo</VAR> and <VAR>conn %default</VAR> sections as in the VPN 
example.</P>
<PRE>
# basic configuration
config setup
        interfaces=eth0
        klipsdebug=none
        plutodebug=none
        plutoload=%search
        plutostart=%search

# defaults that apply to all connection descriptions
conn %default
        # How persistent to be in (re)keying negotiations (0 means very).
        keyingtries=0
        # How to authenticate gatways
        authby=rsasig
</PRE>
<P> Then add a description for the road warrior connection:</P>
<PRE>
# Connection for road warrior Fred 
conn head-fred
        # identity we use in authentication exchanges
        leftid=@head.example.com
        leftrsasigkey=0x175cffc641f...
        # left security gateway (public-network address)
        left=e.f.g.h
        # next hop to reach right
        leftnexthop=e.f.g.i
        # subnet behind left (omit if there is no subnet)
        leftsubnet=a.b.c.0/24
        # accept any address for right
        right=%any
        # any address, provided authentication works
        rightid=@fred.example.com
        rightrsasigkey=0xd9a24765fe...
        # no subnet for a typical road warrior
        # it is possible, but usually not needed
        # let the road warrior start the connection
        auto=add
        # override the default retry for road warriors
        # we don't want to retry if IP connectivity is gone
        keyingtries=1
</PRE>
<P> On the gateway end we use</P>
<UL>
<LI><VAR>right=%any</VAR> so we have no preset idea of right's IP 
address and will accept whatever arrives on the packets</LI>
<LI><VAR>auto=add</VAR> so we accept connections but don't initiate</LI>
<LI><VAR>keyingtries=1</VAR> so we do not retry to excess when the 
partner disconnects or changes IP address</LI>
</UL>
<P> The file on the road warrior end is nearly identical, except that 
it has: </P>
<UL>
<LI><VAR>interfaces=%defaultroute</VAR> to handle the dynamic IP 
address.</LI>
<LI><VAR>right=%defaultroute</VAR></LI>
<LI><VAR>auto=start</VAR> to start the connection</LI>
<LI><VAR>keyingtries=0</VAR> to try to maintain the connection</LI>
</UL>
<P> Additional road warriors can be added as required. Each should have 
his or her own connection description with unique settings for <VAR>
 rightid</VAR> and <VAR>rightrsasigkey</VAR>.</P>
<P> Jean-Francois Nadeau's <A href="http://jixen.tripod.com/#Rw-Fwan-to-Fwan">
Practical Configurations</A> document also has an example  of using RSA 
authentication for road warriors.</P>
<H3><A name="oppex">Opportunistic encryption</A></H3>
 We use the term <A href="glossary.html">opportunistic encryption</A>
 for encryption which does not rely on any pre-arranged connection, 
hence does not require that the administrators of the two gateways 
involved communicate with each other (for example, to exchange keys) 
before their systems can create a secure connection. 
<P> The idea is that each gateway check the destinations of outgoing 
packets, see if an encrypted connection is possible and, if so, take 
the opportuntity to encrypt. The opportunity will exist whenever the 
admins on both ends have set their systems up for opportunistic 
encryption. </P>
<P> This makes encryption the default behaviour, and could greatly 
increase the overall security of the Internet if it were widely enough 
adopted. See our documents: </P>
<DL>
<DT><A href="politics.html">history and politics</A></DT>
<DD>for the reasons we want to do this </DD>
<DT><A href="#traffic.resist">IPSEC protocols</A></DT>
<DD>for discussion of the general principle of encrypting as much as 
possible </DD>
</DL>
<P> The gateways must be able to authenticate each other for IPSEC to 
be secure. For opportunistic encryption, we rely on the domain name 
system, <A href="glossary.html">DNS</A>, to provide the RSA keys needed 
for this authentication.  Note, that currently this is not entirely 
secure because <STRONG>the DNS mechanism it relies on is not fully 
secure</STRONG>. Eventually, as <A href="#SDNS">secure DNS</A> becomes 
widely deployed, this will change. </P>
<H4><A name="opp.status">Status</A></H4>
 The team have been working on this for some time, and testing 
internally. As of late May, 2001 this code is ready for wider testing. <STRONG>
We encourage everyone to try it.</STRONG>
<P> The main documentation items so far are: </P>
<UL>
<LI>an <A href="opportunism.howto">Opportunism HowTo</A> by Pluto 
programmer Hugh Redelmeier </LI>
<LI>a <A href="opportunism.spec">design document</A> by Hugh and 
technical lead Henry Spencer. </LI>
</UL>
 I am playing catch up. HTML documentation so far is neither complete 
nor particularly clear, and not all of it has had technical review by 
the developers, so it may have errors. What I have so far is below. 
<P> Note that both software and documentation for this are changing 
quickly. You may want the latest snapshot for opportunism experiments. </P>
<P><STRONG> We do not yet recommend this code for production use</STRONG>
. You should still protect your critical data with explicitly 
configured IPSEC tunnels, rather than relying on opportunistic for 
everything at this stage. </P>
<H4><A name="opp.config">ipsec.conf entries for opportunism</A></H4>
 The relevant lines in the config file might look like this:
<PRE>
conn subnet-to-anyone              # for our client subnet
        leftsubnet=10.42.42.0/24   # any single client in our subnet
        left=%defaultroute         # our SG (defaults leftnexthop too)
        right=%opportunistic
</PRE>
<P> The public key, in our format, must be in a KEY record of the 
appropriate DNS entry for this to work.</P>
<P> Each opportunistic connection supports a single source/destination 
pair of IP addresses. There is no way to build an opportunistic 
connection for a larger subnet. Specifying a subnet in the connection 
description,  as in the example above, just means that any host in that 
subnet may have opportunistic connections.</P>
<H4><A name="dns.background">Some DNS background</A></H4>
<P> Opportunism requires that the gateway systems be able to fetch 
public keys, and other IPSEC-related information, from each other's DNS 
(domain name service) records. </P>
<P> DNS is a distributed database that maps names to IP addresses and 
vice versa. A system named gateway.example.com with IP address 
10.20.30.40 should have at least two DNS records: </P>
<DL>
<DT>gateway.example.com. IN A 10.20.30.40 </DT>
<DD>used to look up the name and get an IP address </DD>
<DT>40.30.20.10.in-addr.arpa. IN PTR gateway.example.com. </DT>
<DD>used for reverse lookups, looking up an address to get the 
associated name. Notice that the digits here are in reverse order; the 
actual address is 10.20.30.40 but we use 40.30.20.10 here. </DD>
</DL>
 Some syntactic details are: 
<UL>
<LI>the IN indicates that these records are for <STRONG>In</STRONG>
ternet addresses </LI>
<LI>The final periods in '.com.' and '.arpa.' are required. They 
indicate the root of the domain name system. </LI>
</UL>
 For much more detail, see: 
<UL>
<LI><A href="http://www.linuxdoc.org/LDP/nag2/index.html">Linux Network 
Administrator's Guide</A></LI>
<LI>the standard <A href="#DNS.book">DNS reference</A> book </LI>
<LI><A href="http://www.nominum.com/resources/whitepapers/bind-white-paper.html">
BIND overview</A></LI>
<LI><A href="http://www.nominum.com/resources/documentation/Bv9ARM.pdf">
BIND 9 Administrator's Reference</A></LI>
</UL>
 The capitalised strings after IN indicate the type of record. Possible 
types include: 
<UL>
<LI><STRONG>A</STRONG>ddress </LI>
<LI><STRONG>P</STRONG>oin<STRONG>T</STRONG>e<STRONG>R</STRONG></LI>
<LI><STRONG>C</STRONG>anonical <STRONG>NAME</STRONG>, records to 
support aliasing,  multiple names for one address </LI>
<LI><STRONG>MX</STRONG>, used in mail handling </LI>
<LI><STRONG>SIG</STRONG>nature, used in <A href="#SDNS">secure DNS</A></LI>
<LI><STRONG>KEY</STRONG>, used in <A href="#SDNS">secure DNS</A></LI>
<LI><STRONG>T</STRONG>e<STRONG>XT</STRONG>, a multi-purpose record type </LI>
</UL>
 To set up for opportunistic encryption, you add some KEY and TXT 
records to your DNS data. 
<H4><A name="dnskey">Putting IPSEC information in DNS</A></H4>
 There are two types of DNS record to be added: 
<UL>
<LI>each gateway must have a KEY record which other gateways can query 
to fetch its RSA authentication key </LI>
<LI>any client whose communications are to be protected by a gateway 
must have a TXT record pointing to that machine as an authorised IPSEC 
gateway </LI>
</UL>
<A href="manpage.d/ipsec_showhostkey.8.html"> ipsec_showhostkey(8)</A>
 provides the key in DNS record format. You will need to put it in the 
appropriate place in the DNS records. 
<P> To be more precise, quoting the Opportunism Design document: </P>
<PRE>
For reference, the minimum set of DNS records needed to make
this all work is either:

1.  TXT in Destination reverse  map,  identifying  Responder
    and providing public key.
2.  KEY in Initiator reverse map, providing public key.
3.  TXT  in  Source  reverse  map, verifying relationship to
    Initiator.

or:

1.  TXT in Destination reverse map, identifying Responder.
2.  KEY in Responder reverse map, providing public key.
3.  KEY in Initiator reverse map, providing public key.
4.  TXT in Source reverse  map,  verifying  relationship  to
    Initiator.

Slight  complications  ensue  for dynamic addresses, lack of
control over reverse maps, etc.
</PRE>
<H5><A name="dns.client">DNS records for client systems</A></H5>
 You must have control of the reverse maps for your client systems, or 
opportunistic IPSEC cannot be made to work. 
<P> The client systems will be either Source or Destination, so  they 
must have: </P>
<PRE>
1.  TXT in Destination reverse  map,  identifying  Responder
    and providing public key.
2.  ...
3.  TXT  in  Source  reverse  map, verifying relationship to
    Initiator.

or:

1.  TXT in Destination reverse map, identifying Responder.
2.  ...
3.  ...
4.  TXT in Source reverse  map,  verifying  relationship  to
    Initiator.
</PRE>
 If you control the gateway's reverse map, example client records would 
look like this: 
<PRE>
42.42.42.10.in-addr.arpa. IN PTR deepthought.example.com.
42.42.42.10.in-addr.arpa. IN TXT &quot;X-IPsec-Server(10)=10.20.30.40 AQNJjkKlIk9...nYyUkKK8&quot;
</PRE>
 which can also be written as just: 
<PRE>
42.42.42.10.in-addr.arpa. IN PTR deepthought.example.com.
                          IN TXT &quot;X-IPsec-Server(10)=10.20.30.40 AQNJjkKlIk9...nYyUkKK8&quot;
</PRE>
 This provides the IP address of the security gateway and the public 
key which the gateway will use to authenticate itself. This is the 
preferred method. 
<H5><A name="dns.gateway">DNS records for gateway systems</A></H5>
 The gateways will be either Initiator or Responder so they need: 
<PRE>
1.  ...
2.  KEY in Initiator reverse map, providing public key.
3.  ...

or:

1.  ...
2.  KEY in Responder reverse map, providing public key.
3.  KEY in Initiator reverse map, providing public key.
4.  ...
</PRE>
<P> If you control the gateway's reverse map, you just add a KEY record 
there. That is all the gateway reverse map needs, whether it is working 
as Initiator or Responder. </P>
<P> Here is an example, with many characters of the key itself left 
out: </P>
<PRE>
40.30.20.10.in-addr.arpa. IN KEY 0x4200 4 1 AQNJjkKlIk9...nYyUkKK8
</PRE>
 This allows lookups on the IP address of the gateway to retrieve the 
key. 
<H6>If you <EM>don't</EM> control the gateway's reverse map</H6>
 The approach must be different if you do not have control over the 
reverse map for your gateway. Perhaps your ISP controls that, and 
provides no way for you to put data into their maps. Without that, you 
cannot set your gateway up to respond to incoming opportunistic 
requests (short of changing ISPs, which you might consider). 
<P> However, suppose a friend over at example.org will let you put 
things in their maps. That will allow you to set your gateway up to 
handle opportunistic connections for which it is the initiator. </P>
<P> You still need to be able to put data in the reverse map for your 
clients. However, that data is slightly different: </P>
<PRE>
42.42.42.10.in-addr.arpa. IN PTR deepthought.example.com.
                          IN TXT &quot;X-IPsec-Server(10)=something.example.org&quot;
</PRE>
 Over at example.org, your friend puts these lines in the DNS data 
files: 
<PRE>
something.example.org. IN A 10.20.30.40
something.example.org. IN KEY 0x4200 4 1 AQNJjkKlIk9...nYyUkKK8
</PRE>
 Your gateway must identify itself in IKE as something.example.org, not 
as gateway.example.com. You set that up via <VAR>leftid=</VAR> or <VAR>
rightid=</VAR> entries in <A href="manpage.d/ipsec.conf.5.html">
ipsec.conf(5)</A>. 
<P> With this arrangement, the remote gateway receives an ID payload 
early in IKE with your (bogus) gateway name &quot;something.example.org&quot;. 
Then it looks up that name to get the IP address and key for the 
gateway. </P>
<H2><A name="handy">Simplifying ipsec.conf files</A></H2>
<P> We provide several features in the syntax of the <A href="manpage.d/ipsec.conf.5.html">
ipsec.conf(5)</A> file that are intended to simplify the work of 
managing complex multi-connection setups:</P>
<UL>
<LI>a <VAR>conn %default</VAR> connection description for information 
 common to all connections</LI>
<LI><VAR>also=</VAR> lines allow a piece of a description to be defined 
in  one place and used in several (the definition must be after all 
 references)</LI>
<LI><VAR>include</VAR> directives allow information to be stored in 
 separate files but used as part of the configuration</LI>
</UL>
<P> These can be combined in whatever way suits your application. One 
example is this ipsec.conf file for a gateway supporting multiple road 
warriors, all using RSA authentication:</P>
<PRE>
conn %default
        type=tunnel
        pfs=yes
        keylife=2h
        authby=rsasig                   # all connections use RSA authentication
        keyingtries=1                   # road warrior can retry, we shouldn't
        # some parameters are common to all remote systems
        right=%any                      # accept from any address

# pick up all remote system descriptions
# uses shell wildcards
include /etc/ipsec/remote.*.conn

# left side of all connections is the same
# define it after the descriptions which use it
conn leftstuff
        left=101.101.101.101
        leftnexthop=101.101.101.1
        leftsubnet=202.202.202.0/24
        leftid=@gateway.example.org
</PRE>
<P> On the left gateway, we can omit <VAR>leftrsasig</VAR>. That 
gateway uses the private key stored in ipsec.secrets(5) and has no need 
for its own public key. Similarly, the road warriors need not have 
their own public keys in ipsec.conf(5), only the gateway's public key. </P>
<P> The remote connection descriptions in <VAR>/etc/ipsec/remote.*.conn</VAR>
 need then have only a few lines each: </P>
<PRE>
conn myname
        # pick up common info for all connections
        also=leftstuff
        # identify the remote machine
        rightid=@myname.example.org
        rightrsasigkey=0xfc641fd6d9a24...
        # we cannot use auto= in default or an also= section
        # so do it here
        auto=add                       # load, but don't start
</PRE>
<P> Note that if <VAR>auto=add</VAR> or <VAR>auto=start</VAR>
 parameters are used, they <STRONG>must be in the actual connection 
descriptions</STRONG>. Neither putting them in the <VAR>conn default</VAR>
 section nor including them via an <VAR>also=</VAR> line will work.</P>
<P> Also, be careful with the order of sections in this file. The 
parser used requires that a definition comes after the <VAR>also=</VAR>
 line which uses it. In our example, the <VAR>include</VAR> inserts the 
files with the <VAR>also=leftstuff</VAR> lines before the definition of <VAR>
conn leftstuff</VAR> so things are parsed in the correct order.</P>
<H2><A name="fw.basic">Is there a firewall in play?</A></H2>
<P> If firewall packet filtering is being done on either of the 
FreeS/WAN gateway machines, or on any machine on the path between them, 
then you will probably need to adjust the filters before FreeS/WAN can 
work. The filters must allow:</P>
<UL>
<LI>UDP packets between port 500 on one gate and port 500 on the other, 
 used by the automatic keying daemon Pluto.</LI>
<LI>at least one of protocol 50 (ESP) and 51 (AH). Most applications 
want  ESP since AH does only authentication, not encryption.</LI>
</UL>
<P> For more detail, see our <A href="firewall.html">IPSEC and firewalls</A>
 document. </P>
<H2><A name="testing">Testing the installation</A></H2>
<P> This section covers testing connections once you have FreeS/WAN 
installed and your <A href="manpage.d/ipsec.conf.5.html">ipsec.conf(5)</A>
 file set up.</P>
<P> We assume all your connection descriptions use <VAR>auto=add</VAR>
 so that <A href="manpage.d/ipsec_pluto.8.html">ipsec_pluto(8)</A>
 loads the descriptions into its internal database at startup but does 
not attempt to start the connections until you tell it to.</P>
<H3><A name="matching">Matching numbers</A></H3>
<P> It is important that the numbers in your connection descriptions 
match the network configuration. FreeS/WAN is almost certain to fail if 
they do not. </P>
<P> Suppose you are at the Reno office and your ipsec.conf file now 
has, among others, these lines:</P>
<PRE>
config setup
        interfaces=&quot;ipsec0=eth0&quot;

conn reno-van
        left=101.101.101.101
        right=202.202.202.202
</PRE>
<P> When you tell FreeS/WAN to start the reno-van connection, it 
doesn't automagically know that it is in Reno, or that it is <VAR>left</VAR>
 in the configuration. It discovers that by comparing the IP address 
for ipsec0 (and, if it is set, for ipsec1) to the addresses for left 
and right. ipsec0 inherits its address from the underlying device, eth0 
in our example.</P>
<P> So in our example, if eth0 has IP address 101.101.101.101 then 
ipsec0 inherits that address, the correct match is found, and this 
FreeS/WAN discovers that it is <VAR>left</VAR>. (If no match is found, <A
href="manpage.d/ipsec_pluto.8.html">Pluto</A> reports &quot;unable to orient 
connection&quot;.)  It then sets itself up with any other left* parameters 
in use -- some of <VAR>leftnexthop</VAR>, <VAR>leftsubnet</VAR>, <VAR>
leftfirewall</VAR> and <VAR>leftid</VAR>. </P>
<P> Once it has these parameters, FreeS/WAN sets things so that </P>
<UL>
<LI>packets from leftsubnet addressed to rightsubnet are routed through 
a  tunnel to right.</LI>
<LI>Packets for leftsubnet can be received on the tunnel and  delivered.</LI>
</UL>
<P> All should be well.</P>
<P> Of course, there must also be interfaces and routes set up so that 
this machine can exchange IP packets both with the right gateway and 
with clients on leftsubnet. This is done with standard Linux utilities 
such as ifconfig(8) and route(8). Also, things must be correct on right 
in Vancouver. It takes two to tunnel.</P>
<P> A data mismatch anywhere in this configuration will cause FreeS/WAN 
to fail and to log various error messages. Depending on just how 
confused  FreeS/WAN is and about what, the error messages may be 
somewhat confusing.  See our <A href="trouble.html">troubleshooting</A>
 section to get help  interpreting them if required.</P>
<P><EM> We recommend double-checking for consistency here before 
starting actual tests.</EM>.</P>
<H3><A name="testsetup">Sanity checking</A></H3>
<P> Reboot both gateways to get FreeS/WAN started. No connections are 
actually made yet, but the stage is set.</P>
<P> Examine /var/log/messages for any signs of trouble.</P>
<P> On both gateways, the following entries should now exist in the 
/proc/net/ directory:</P>
<UL>
<LI>ipsec_eroute</LI>
<LI>ipsec_spi</LI>
<LI>ipsec_spigrp</LI>
<LI>ipsec_spinew</LI>
<LI>ipsec_tncfg</LI>
<LI>ipsec_version</LI>
</UL>
<P> and the IPSEC interfaces should be attached on top of the specified 
physical interfaces. Confirm that with:</P>
<PRE>
        cat /proc/net/ipsec_tncfg
</PRE>
<P> You should see at least device ipsec0, and each ipsec device should 
point to a physical device, eg. 'ipsec0 -&gt; eth0 mtu=16260 -&gt; 1500'. 
Routing connections through this pseudo-device with our eroute(8) 
utility causes the data to be encrypted before being delivered to the 
underlying network interface.</P>
<P> Don't be surprised when you cannot find that /dev/ipsec0 or 
/dev/ipsec1. They do not exist. Other network pseudo-devices such as 
eth0 and eth1 do not have entries in /dev either. In general, network 
devices do not need such entries.</P>
<H3><A name="test">Starting a connection</A></H3>
<P> On one gateway, start IPSEC with:</P>
<PRE>
        ipsec auto --up <VAR>name</VAR>
</PRE>
<P> replacing <VAR>name</VAR> with the connection name you used in 
ipsec.conf(5).</P>
<P> Note that to shut down a connection, you must do:</P>
<PRE>
        ipsec auto --down <VAR>name</VAR>
</PRE>
<P> on <EM>both</EM> gateway machines, even though you only start it 
from one.</P>
<P> If the <VAR>ipsec auto --up</VAR> command doesn't generate any 
errors, do</P>
<PRE>
        ipsec look
</PRE>
<P> and see if the output looks something like this:</P>
<PRE>
foo.spsystems.net Wed Nov 25 22:51:45 EST 1998
-------------------------
10.0.1.0/24 -&gt; 11.0.1.0/24 =&gt; tun0x200@11.0.0.1 esp0x202@11.0.0.1
-------------------------
tun0x200@11.0.0.1 IPv4_Encapsulation: dir=out   10.0.0.1 -&gt; 11.0.0.1
esp0x203@10.0.0.1 3DES-MD5-96_Encryption: dir=in  iv=0xc2cbca5ba42ffbb6  seq=0  bit=0x00000000  win=0  flags=0x0&lt;&gt;
esp0x202@11.0.0.1 3DES-MD5-96_Encryption: dir=out  iv=0xc2cbca5ba42ffbb6  seq=0  bit=0x00000000  win=0  flags=0x0&lt;&gt;
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
11.0.0.0        0.0.0.0         255.255.255.0   U      1500 0          0 eth1
11.0.1.0        11.0.0.1        255.255.255.0   UG     1404 0          0 ipsec0</PRE>
<P> If it does, you're probably in business.</P>
<P> This example shows:</P>
<PRE>
        a tunnel              tun0x200 going to 11.0.0.1
        outgoing connection   esp0x202
        incoming connection   esp0x203
</PRE>
<P> Both connections use <A href="#ESP">ESP</A> with <A href="#3DES">
3DES</A> encryption and <A href="#MD5">MD5</A> authentication.</P>
<P> The routing is:</P>
<PRE>
        11.0.0.0    via eth1 and the Internet
        11.0.1.0    via ipsec0 which encrypts and then sends to 11.0.0.1
</PRE>
<P> This routes all traffic to the protected network 11.0.1.0/24 
through an IPSEC tunnel to the gateway 11.0.0.1.</P>
<H3><A name="pingtest">Ping tests</A></H3>
<P> If that works, test whether Sunrise can ping Sunset and vice versa. 
Our  example setup again is:</P>
<PRE>
        Sunset==========West------------------East=========Sunrise
              local net       untrusted net       local net
</PRE>
<P> There is no point in testing to or from the gateways themselves; 
the goal is to secure traffic between the subnets, not between the 
security gateways themselves.</P>
<P> In general, pings or other <STRONG>tests using the public 
interfaces of East and/or West are entirely useless</STRONG>. The IPSEC 
tunnel is for packets between the two protected subnets and the outside 
interfaces are not on those subnets. Depending on your routing 
configuration, test packets sent via those interfaces will be:</P>
<UL>
<LI>either transmitted in the clear, bypassing the tunnel,</LI>
<LI>or discarded because there is no tunnel in place to handle them</LI>
</UL>
<P> In either case, <STRONG>they tell you nothing about the tunnel</STRONG>
.</P>
<P> Sometimes it will be inconvenient to use the client machines 
(Sunrise and  Sunset in our example) for testing. In these cases, use a 
command such  as:</P>
<PRE>
     traceroute -i eth0 -f 20 192.168.7.1
</PRE>
<P> where each of the interfaces specified (eth0 and 192.168.7.1 in the 
example) are <STRONG>on one of the protected subnets</STRONG>, eth0 
being the local gateway's interface on that side and 192.168.7.1 the 
remote gateway's subnet interface. This forces the packets through the 
IPSEC tunnel you want to test.</P>
<P> For information on setting things up so that gateways can do IPSEC 
to each other or to remote subnets, see <A href="#multitunnel">below</A>
.</P>
<P>If you have other software set up, test with it as well. Telnet from 
 Sunrise to Sunset, browse a web server on the remote net and so on.</P>
<H3><A name="tcpdump">Testing with tcpdump</A></H3>
<P> To verify that all is working, run tcpdump(8) on a machine which 
can listen to the traffic between the gateways.</P>
<P> This is most easily done from a third machine, rather than from one 
of the gateways. On the gateways you may see packets at intermediate 
stages of processing and the result may be confusing. </P>
<P> If the results make no sense at all, or you see &quot;bad physical 
medium&quot; error messages, you probably have an outdated version of 
tcpdump(8) that does not handle IPSEC at all. See our <A href="#tcpdump">
FAQ</A>.</P>
<P> The packets should, except for some of the header information, be 
utterly unintelligible. The output of good encryption looks exactly 
like random noise.</P>
<P>You can put recognizable data in the ping packets with something 
 like:</P>
<PRE>        ping -p feedfacedeadbeef 11.0.1.1</PRE>
<P> &quot;feedfacedeadbeef&quot; is a legal hexadecimal pattern that is easy to 
pick out of hex dumps.</P>
<P> For many other protocols, you need to check if you have encrypted 
data or ASCII text. Encrypted data has approximately equal frequencies 
for all 256 possible characters. ASCII text has most characters in the 
printable range 0x20-0x7f, a few control characters less than 0x20, and 
none at all in the range 0x80-0xff.</P>
<P> 0x20, space, is a good character to look for. In normal English 
text space occurs about once in seven characters, versus about once in 
256 for random or encrypted data. You can put long sequences of spaces 
in your data and look for 0x20202020 in output, but this is not usually 
necessary.</P>
<P> If packets look like total garbage, nothing recognizable, all is 
well. </P>
<P>Note that to shut down a connection, you must do:</P>
<PRE>        ipsec auto --down <VAR>name</VAR></PRE>
<P>on <EM>both</EM> gateway machines, even though you only start it 
from  one.</P>
<P>Again, you can verify with the same commands.</P>
<P>Repeat the ping test. Repeat the tcpdump test.</P>
<P>If everything succeeds, congratulations.</P>
<P><STRONG>You now have a working Linux FreeS/WAN installation.</STRONG></P>
<H2><A name="links.conf">What next?</A></H2>
<P> At this point you should have a working FreeS/WAN setup. If not, 
you could go back and doublecheck various things above or try:</P>
<P>
<UL>
<LI>our <A href="faq.html">FAQ</A></LI>
<LI>our <A href="trouble.html">troubleshooting</A> section</LI>
</UL>
<P> If all is well so far, you could continue with this section to 
explore other ways to configure FreeS/WAN connections or branch out to:</P>
<UL>
<LI>more detail on the <A href="ipsec.html">IPSEC protocols</A></LI>
<LI><A href="interop.html">interoperating</A> with other IPSEC 
implementations</LI>
<LI><A href="politics.html">history and politics of cryptography</A></LI>
<LI>additional <A href="examples">configuration examples</A></LI>
</UL>
<P> Of course you might just go off for a beverage or meal at this 
point as well.</P>
<H2><A name="otherconf">Other configuration possibilities</A></H2>
<P> The rest of this section describes various less-used options for 
FreeS/WAN.</P>
<H3><A name="choose">Choosing connection types</A></H3>
<P> The first major decision you need to make before configuring 
additional connections is what type or types of connections you will 
use. There are several options, and you can use more than one 
concurrently.</P>
<H4><A name="man-auto">Manual vs. automatic keying</A></H4>
<P> IPSEC allows two types of connections, with manual or automatic 
keying. FreeS/WAN starts them with commands such as:</P>
<PRE>
        ipsec manual --start <VAR>name</VAR>
        ipsec auto --up <VAR>name</VAR>
</PRE>
<P>The difference is in how they are keyed.</P>
<DL>
<DT><A href="#manual">Manually keyed</A> connections</DT>
<DD>use keys stored in <A href="manpage.d/ipsec.conf.5.html">ipsec.conf</A>
.</DD>
<DT><A href="#auto">Automatically keyed</A> connections</DT>
<DD>use keys automatically generated by the Pluto  key negotiation 
daemon. The key negotiation protocol, <A href="#IKE">IKE</A>, must 
authenticate the other system. (It is  vulnerable to a <A href="#middle">
man-in-the-middle attack</A> if used  without authentication.) We 
currently support two authentication  methods: 
<UL>
<LI>using shared secrets stored in <A href="manpage.d/ipsec.secrets.5.html">
ipsec.secrets</A>.</LI>
<LI>RSA <A href="#public">public key</A> authentication, with public 
 keys for other machines in <A href="manpage.d/ipsec.conf.5.html">
ipsec.conf</A> and our  machine's private key in <A href="manpage.d/ipsec.secrets.5.html">
ipsec.secrets</A>.</LI>
</UL>
</DD>
</DL>
<P><A href="#manual"> Manually keyed</A> connections provide weaker 
security than <A href="#auto">automatically keyed</A> connections. An 
opponent who gets a key gets all data encrypted by it. We discuss using <A
href="#prodman">manual keying in production</A> below, but this is <STRONG>
not recommended</STRONG> except in special circumstances, such as 
needing to communicate with some implementation that offers no 
auto-keyed mode compatible with FreeS/WAN. Manual keying is useful for 
testing.</P>
<P> With automatically-(re)-keyed connections, the keys change often so 
an opponent who gets one key does not get a large amount of data. An 
opponent who gets a shared secret, or your private key if public key 
authentication is used, does not automatically gain access to any 
encryption keys or any data. Once your authentication mechanism has 
been subverted you have no way to prevent the attacker getting keys and 
data, but the attacker still has to work for them.</P>
<H4><A name="auto-auth">Authentication methods for auto-keying</A></H4>
<P> The IKE protocol which Pluto uses to negotiate connections between 
gateways must use some form of authentication of peers. A gateway must 
know who it is talking to before it can create a secure connection. We 
currently support two methods for this authentication:</P>
<UL>
<LI>shared secrets</LI>
<LI>RSA authentication</LI>
</UL>
<P> See our <A href="#patch">links section</A> for information on 
 user-contributed patches which provide a third mechanism:</P>
<UL>
<LI>authentication with <A href="#X509">x.509</A> certificates</LI>
</UL>
<P> As a long-term goal, FreeS/WAN plans to support distribution of 
public keys for authentication via <A href="#SDNS">secure DNS</A>. This 
would allow us to support <A href="#carpediem">opportunistic encryption</A>
. Any two FreeS/WAN gateways could provide secure communication, 
without either of them having any preset information about the other.</P>
<P>This is <STRONG>not implemented in this release</STRONG>.</P>
<H4><A name="adv-pk">Advantages of public key methods</A></H4>
<P> Authentication with a <A href="#public">public key</A> method such 
as <A href="#RSA">RSA</A> has some important advantages over using 
shared  secrets.</P>
<UL>
<LI>no problem of secure transmission of secrets 
<UL>
<LI>A shared secret must be shared, so you have the problem of 
 transmitting it securely to the other party. If you get this wrong, 
 you have no security.</LI>
<LI>With a public key technique, you transmit only your public key. 
 The system is designed to ensure that it does not matter if an enemy 
 obtains public keys. The private key never leaves your machine.</LI>
</UL>
</LI>
<LI>easier management 
<UL>
<LI>Suppose you have 20 branch offices all connecting to one gateway at 
 head office, and all using shared secrets. Then the head office admin 
 has 20 secrets to manage. Each of them must be kept secret not only 
 from outsiders, but also from 19 of the branch office admins. The 
 branch office admins have only one secret each to manage.</LI>
<P> If the branch offices need to talk to each other, this becomes 
 problematic. You need another <NOBR>20*19/2 = 190</NOBR> secrets for 
branch-to-branch  communication, each known to exactly two branches. 
Now all the branch  admins have the headache of handling 20 keys, each 
shared with exactly  one other branch or with head office. </P>
<P> For larger numbers of branches, the number of connections and 
secrets  increases quadratically  and managing them becomes a 
nightmare. A  1000-gateway fully connected network needs 499,500 
secrets, each  known to exactly two players. There are ways to reduce 
this problem,  for example by introducing a central key server, but 
these involve  additional communication overheads, more administrative 
work, and  new threats that must be carefully guarded against.</P>
</UL>
</LI>
<LI>With public key techniques, the <EM>only</EM> thing you have to 
 keep secret is your private key, and <EM>you keep that secret from 
 everyone</EM>. </LI>
<P> As network size increaes, the number of public keys used increases 
linearly  with the number of nodes. This still requires careful 
administration in large  applications, but is nothing like the disaster 
of a quadratic increase. On a  1000-gateway network, you have 1000 
private keys, each of which must be kept  secure on one machine, and 
1000 public keys which must be distributed. This  is not a trivial 
problem, but it is manageable. </P>
</UL>
<LI>does not require fixed IP addresses 
<UL>
<LI>When shared secrets are used in IPSEC, the responder must be able 
 to tell which secret to use by looking at the IP address on the 
 incoming packets.  When the other parties do not have a fixed IP 
 address to be identified by (for example, on nearly all dialup ISP 
 connections and many cable or ADSL links), this does not work well  -- 
all must share the same secret!</LI>
<LI>When RSA authentication is in use, the initiator can identify 
 itself by name before the key must be determined.  The responder  then 
checks that the message is signed with the public key  corresponding to 
that name.</LI>
</UL>
</LI>
<P>There is also a disadvantage:</P>
<UL>
<LI>your private key is a single point of attack, extremely valuable to 
an  enemy 
<UL>
<LI>with shared secrets, an attacker who steals your ipsec.secrets 
 file can impersonate you or try <A href="#middle">man-in-the-middle</A>
 attacks, but can only attack  connections described in that file</LI>
<LI>an attacker who steals your private key gains the chance to attack 
 not only existing connections <EM>but also any future  connections</EM>
 created using that key</LI>
</UL>
</LI>
</UL>
<P>This is partly counterbalanced by the fact that the key is never 
 transmitted and remains under your control at all times. It is likely 
 necessary, however, to take account of this in setting security 
policy. For  example, you should change gateway keys when an 
administrator leaves the  company, and should change them periodically 
in any case.</P>
<P> Overall, public key methods are <STRONG>more secure, more easily 
managed and more flexible</STRONG>. We recommend that they be used for 
all connections, unless there is a compelling reason to do otherwise.</P>
<H3><A name="prodsecrets">Using shared secrets in production</A></H3>
<P> Generally, public key methods are preferred for reasons given 
above, but shared secrets can be used with no loss of security, just 
more work and perhaps more need to take precautions.</P>
<H4><A name="secrets">Putting secrets in ipsec.secrets(5)</A></H4>
<P> If shared secrets are to be used to <A href="#authentication">
authenticate</A> communication for the <A href="#DH">Diffie-Hellman</A>
 key exchange in the <A href="#IKE">IKE</A> protocol, then those 
secrets must be stored in <VAR>/etc/ipsec.secrets</VAR>. For details, 
see the <A href="manpage.d/ipsec.secrets.5.html">ipsec.secrets(5)</A>
 man page.</P>
<P>A few considerations are vital:</P>
<UL>
<LI>make the secrets long and unguessable. Since they need not be 
 remembered by humans, very long ugly strings may be used. We suggest 
 using our <A href="manpage.d/ipsec_ranbits.8.html">ipsec_ranbits(8)</A>
 utility to generate long (128 bits or more) random strings.</LI>
<LI>transmit secrets securely. You have to share them with other 
systems,  but you lose if they are intercepted and used against you. 
Use <A href="#PGP">PGP</A>, <A href="#SSH">SSH</A>, hand delivery of a 
floppy  disk which is then destroyed, or some other trustworthy method 
to  deliver them.</LI>
<LI>store secrets securely, in root-owned files with permissions 
 rw------.</LI>
<LI>limit sharing of secrets. Alice, Bob, Carol and Dave may all talk 
to  each other, but only Alice and Bob should know the secret for an 
 Alice-Bob link.</LI>
<LI><STRONG>do not share private keys</STRONG>. The private key for RSA 
 authentication of your system is stored in <A href="manpage.d#ipsec.secrets.5.html">
 ipsec.secrets(5)</A>, but it  is a different class of secret from the 
pre-shared keys used for the  &quot;shared secret&quot; authentication. No-one 
but you should have  the RSA private key. </LI>
</UL>
<P> Each line has the IP addresses of the two gateways plus the secret. 
It  should look something like this:</P>
<PRE>
        10.0.0.1 11.0.0.1 : PSK &quot;jxTR1lnmSjuj33n4W51uW3kTR55luUmSmnlRUuWnkjRj3UuTV4T3USSu23Uk55nWu5TkTUnjT&quot;
</PRE>
<P><VAR> PSK</VAR> indicates the use of a <STRONG>p</STRONG>re-<STRONG>s</STRONG>
hared <STRONG> k</STRONG>ey. The quotes and the whitespace shown are 
required. </P>
<P> You can use any character string as your secret. For security, it 
should be both long and extremely hard to guess. We provide a utility 
to generate such strings, <A href="manpage.d/ipsec_ranbits.8.html">
ipsec_ranbits(8)</A>. </P>
<P> You want the same secret on the two gateways used, so you create a 
line with that secret and the two gateway IP addresses. The 
installation process supplies an example secret, useful <EM>only</EM>
 for testing. You must change it for production use.</P>
<H4><A name="securing.secrets">File security</A></H4>
<P> You must deliver this file, or the relevant part of it, to the 
other gateway machine by some <STRONG>secure</STRONG> means. <EM>Don't 
just FTP or mail the file!</EM> It is vital that the secrets in it 
remain secret. An attacker who knew those could easily have <EM>all the 
data on your &quot;secure&quot; connection</EM>.</P>
<P> This file must be owned by root and should have permissions <VAR>
rw-------</VAR>.</P>
<H4><A name="notroadshared">Shared secrets for road warriors</A></H4>
<P> You can use a shared secret to support a single road warrior 
connecting to your gateway, and this is a reasonable thing to do in 
some circumstances. Public key methods have advantages, discussed <A href="#choose">
above</A>, but they are not critical in this case.</P>
<P> To do this, the line in ipsec.secrets(5) is something like: </P>
<PRE>
        10.0.0.1 0.0.0.0 : PSK &quot;jxTR1lnmSjuj33n4W51uW3kTR55luUmSmnlRUuWnkjRj3UuTV4T3USSu23Uk55nWu5TkTUnjT&quot;
</PRE>
 where the <VAR>0.0.0.0</VAR> means that any IP address is acceptable. 
<P><STRONG> For more than one road warrior, shared secrets are <EM>not</EM>
 recommended.</STRONG> If shared secrets are used, then when the 
responder needs to look up the secret, all it knows about the sender is 
an IP address. This is fine if the sender is at a fixed IP address 
specified in the config file. It is also fine if only one road warrior 
uses the wildcard <VAR>0.0.0.0</VAR> address. However, if you have more 
than one road warrior using shared secret authentication, then they 
must all use that wildcard and therefore <STRONG>all road warriors 
using PSK autentication must use the same secret</STRONG>. Obviously, 
this is insecure. </P>
<P><STRONG> For multiple road warriors, use public key authentication.</STRONG>
 Each roadwarrior can then have its own identity (our <VAR>leftid=</VAR>
 or <VAR>rightid=</VAR> parameters), its own public/private key pair, 
and its own secure connection. </P>
<H3><A name="prodman">Using manual keying in production</A></H3>
<P> Generally, <A href="#auto">automatic keying</A> is preferred over <A href="#manual">
manual keying</A> for production use because it is both easier to 
manage and more secure. Automatic keying frees the admin from much of 
the burden of managing keys securely, and can provide <A href="#PFS">
perfect forward secrecy</A>.</P>
<P> However, it is possible to use manual keying in production if that 
is what you want to do. This might be necessary, for example, in order 
to interoperate with some device that either does not provide automatic 
keying or provides it in some version we cannot talk to.</P>
<P> Note that with manual keying <STRONG>all security rests with the 
keys</STRONG>. If an adversary acquires your keys, you've had it. He or 
she can read everything ever sent with those keys, including old 
messages he or she may have archived. You need to <STRONG>be really 
paranoid about  keys</STRONG> if you're going to rely on manual keying 
for anything  important.</P>
<UL>
<LI>keep keys in files with 600 permissions, owned by root</LI>
<LI>be extremely careful about security of your gateway systems. 
 Anyone who breaks into a gateway and gains root privileges can  get 
all your keys and read everything ever encrypted  with those keys, both 
old messages he has archived and any new ones  you may send. </LI>
<LI>change keys regularly. This can be a considerable bother, (and 
 provides an excellent reason to consider automatic keying instead), 
 but it is <EM>absolutely essential</EM> for security. Consider a 
manually  keyed system in which you leave the same key in place for 
months: 
<UL>
<LI>an attacker can have a very large sample of text sent with that 
 key to work with. This makes various cryptographic attacks much  more 
likely to succeed. </LI>
<LI>The chances of the key being compromised in some non-cryptographic 
 manner -- a spy finds it on a discarded notepad, someone breaks into 
 your server or your building and steals it, a staff member is bribed, 
 tricked, seduced or coerced into revealing it, etc. -- also increase 
 over time. </LI>
<LI>a successful attacker can read everything ever sent with that key. 
 This makes any successful attack extremely damaging. </LI>
</UL>
 It is clear that you must change keys often to have any useful 
security.  The only question is how often. </LI>
<LI>use <A href="#PGP">PGP</A> or <A href="#SSH">SSH</A> for all key 
 transfers</LI>
<LI>don't edit files with keys in them when someone can look over your 
 shoulder</LI>
<LI>worry about network security; could someone get keys by snooping 
 packets on the LAN between your X desktop and the gateway?</LI>
<LI>lock up your backup tapes for the gateway system</LI>
<LI>... and so on</LI>
</UL>
<P> Linux FreeS/WAN provides some facilities to help with this. In 
particular, it is good policy to <STRONG>keep keys in separate files</STRONG>
 so you can edit configuration information in /etc/ipsec.conf without 
exposing keys to &quot;shoulder surfers&quot; or network snoops. We support this 
with the <VAR>also=</VAR> and <VAR>include</VAR> syntax in <A href="manpage.d/ipsec_conf.5.html">
 ipsec.conf(5)</A>.</P>
<P> See the last example in our <A href="examples">examples</A> file. 
In the  /etc/ipsec.conf <VAR>conn samplesep</VAR> section, it has the 
line:</P>
<PRE>
        also=samplesep-keys
</PRE>
<P> which tells the &quot;ipsec manual&quot; script to insert the configuration 
description labelled &quot;samplesep-keys&quot; if it can find it. The 
/etc/ipsec.conf file must also have a line such as:</P>
<PRE>
include ipsec.*.conf
</PRE>
<P> which tells it to read other files. One of those other files then 
might contain the additional data:</P>
<PRE>
conn samplesep-keys
  spi=0x200
  esp=3des-md5-96
  espenckey=0x01234567_89abcdef_02468ace_13579bdf_12345678_9abcdef0
  espauthkey=0x12345678_9abcdef0_2468ace0_13579bdf
</PRE>
<P> The first line matches the label in the &quot;also=&quot; line, so the 
indented lines are inserted. The net effect is exactly as if the 
inserted lines had occurred in the original file in place of the 
&quot;also=&quot; line.</P>
<P>Variables set here are:</P>
<DL>
<DT>spi</DT>
<DD>A number needed by the manual keying code. Any 3-digit hex number 
 will do, but if you have more than one manual connection then <STRONG>
 spi must be different</STRONG> for each connection.</DD>
<DT>esp</DT>
<DD>Options for <A href="#ESP">ESP</A> (Encapsulated Security Payload), 
 the usual IPSEC encryption mode. Settings here are for <A href="#encryption">
encryption</A> using <A href="#3DES">triple DES</A> and <A href="#authentication">
authentication</A> using <A href="#MD5">MD5</A>. Note that encryption 
without authentication  should not be used; it is insecure.</DD>
<DT>espenkey</DT>
<DD>Key for ESP encryption. Here, a 192-bit hex number for triple  DES.</DD>
<DT>espauthkey</DT>
<DD>Key for ESP authentication. Here, a 128-bit hex number for MD5. </DD>
</DL>
<P><STRONG> Note</STRONG> that the <STRONG>example keys we supply</STRONG>
 are intended <STRONG>only for testing</STRONG>. For real use, you 
should go to automatic keying. If that is not possible, create your own 
keys for manual mode and keep them secret </P>
<P>Of course, any files containing keys <STRONG>must</STRONG> have 600 
permissions and be owned by root.</P>
<P> If you connect in this way to multiple sites, we recommend that you 
keep  keys for each site in a separate file and adopt some naming 
convention that  lets you pick them all up with a single &quot;include&quot; 
line. This minimizes the  risk of losing several keys to one error or 
attack and of accidentally  giving another site admin keys which he or 
she has no business knowing.</P>
<P>Also note that if you have multiple manually keyed connections on a 
 single machine, then the <VAR>spi</VAR> parameter must be different 
for each  one. Any 3-digit hex number is OK, provided they are 
different for each  connection. We reserve the range 0x100 to 0xfff for 
manual connections.  Pluto assigns SPIs from 0x1000 up for 
automatically keyed connections.</P>
<P>If <A href="manpage.d/ipsec.conf.5.html">ipsec.conf(5)</A> contains 
keys  for manual mode connections, then it too must have permissions <VAR>
 rw-------</VAR>. We recommend instead that, if you must manual keying 
 in production, you keep the keys in separate files.</P>
<P> Note also that <A href="manpage.d/ipsec.conf.5.html">ipsec.conf</A>
 is installed with permissions <VAR>rw-r--r--</VAR>. If you plan to use 
manually  keyed connections for anything more than initial testing, you <B>
 must</B>:</P>
<UL>
<LI>either change permissions to <VAR>rw-------</VAR></LI>
<LI>or store keys separately in secure files and access them via 
include  statements in <A href="manpage.d/ipsec.conf.5.html">ipsec.conf</A>
. </LI>
</UL>
<P> We recommend the latter method for all but the simplest 
configurations.</P>
<P>
<H4><A name="ranbits">Creating keys with ranbits</A></H4>
<P>You can create new <A href="#random">random</A> keys with the <A href="manpage.d/ipsec_ranbits.8.html">
ranbits(8)</A> utility. For example,  the commands:</P>
<PRE>      umask 177
      ipsec ranbits 192  &gt; temp
      ipsec ranbits 128 &gt;&gt; temp</PRE>
<P>create keys in the sizes needed for our default algorithms:</P>
<UL>
<LI>192-bit key for <A href="#3DES">3DES</A> encryption 
<BR> (only 168 bits are used; parity bits are ignored)</LI>
<LI>128-bit key for keyed <A href="#MD5">MD5</A> authentication</LI>
</UL>
<P>If you want to use <A href="#SHA">SHA</A> instead of <A href="#MD5">
MD5</A>, that requires a 160-bit key</P>
<P>Note that any <STRONG>temporary files</STRONG> used must be kept <STRONG>
 secure</STRONG> since they contain keys. That is the reason for the 
 umask command above. The temporary file should be deleted as soon as 
you are  done with it. You may also want to change the umask back to 
its default  value after you are finished working on keys.</P>
<P>The ranbits utility may pause for a few seconds if not enough 
entropy is  available immediately. See ipsec_ranbits(8) and random(4) 
for details. You  may wish to provide some activity to feed entropy 
into the system. For  example, you might move the mouse around, type 
random characters, or do <VAR> du /usr &gt; /dev/null</VAR> in the 
background.</P>
<H3><A name="boot">Setting up connections at boot time</A></H3>
<P>You can tell the system to set up connections automatically at boot 
time  by putting suitable stuff in /etc/ipsec.conf on both systems. The 
relevant  section of the file is labelled by a line reading <VAR>config 
 setup</VAR>.</P>
<P>Details can be found in the <A href="manpage.d/ipsec.conf.5.html">
ipsec.conf(5)</A> man page. We also  provide a file of <A href="examples">
example configurations</A>.</P>
<P>The most likely options are something like:</P>
<P>
<DL>
<DT>interfaces=&quot;ipsec0=eth0 ipsec1=ppp0&quot;</DT>
<DD>Tells KLIPS which interfaces to use. Up to four interfaces numbered 
 ipsec[0-3] are supported. Each interface can support an arbitrary 
 number of tunnels. </DD>
<P>Note that for PPP, you give the ppp[0-9] device name here, not the 
 underlying device such as modem (or eth1 if you are using PPPoE).</P>
<DT>interfaces=%defaultroute</DT>
<DD>Alternative setting, useful in simple cases. KLIPS will pick up 
both  its interface and the next hop information from the settings of 
the  Linux default route.</DD>
<DT>forwardcontrol=no</DT>
<DD>Normally &quot;no&quot;. Set to &quot;yes&quot; if the IP forwarding option is disabled 
 in your network configuration. (This can be set as a kernel 
 configuration option or later. e.g. on Redhat, it's in 
 /etc/sysconfig/network and on SuSE you can adjust it with Yast.) Linux 
 FreeS/WAN will then enable forwarding when starting up and turn it off 
 when going down. This is used to ensure that no packets will be 
 forwarded before IPSEC comes up and takes control.</DD>
<DT>syslog=daemon.error</DT>
<DD>Used in messages to the system logging daemon (syslogd) to specify 
 what type of software is sending the messages. If the settings are 
 &quot;daemon.error&quot; as in our example, then syslogd treats the messages as 
 error messages from a daemon. </DD>
<P>Note that <A href="#Pluto">Pluto</A> does not currently pay 
 attention to this variable. The variable controls setup messages  only.</P>
<DT>klipsdebug=</DT>
<DD>Debug settings for <A href="#KLIPS">KLIPS</A>.</DD>
<DT>plutodebug=</DT>
<DD>Debug settings for <A href="#Pluto">Pluto</A>.</DD>
<DT>... for both the above DEBUG settings</DT>
<DD>Normally, leave empty as shown above for no debugging output.
<BR> Use &quot;all&quot; for maximum information.
<BR> See ipsec_klipsdebug(8) and ipsec_pluto(8) man page for other 
options.  Beware that if you set /etc/ipsec.conf to enable debug 
output, your  system's log files may get large quickly.</DD>
<DT>dumpdir=/safe/directory</DT>
<DD>Normally, programs started by ipsec setup don't crash. If they do, 
 by default, no core dump will be produced because such dumps would 
 contain secrets. If you find you need to debug such crashes, you can 
 set dumpdir to the name of a directory in which to collect the core 
 file.</DD>
<DT>manualstart=</DT>
<DD>List of manually keyed connections to be automatically started at 
 boot time. Useful for testing, but not for long term use. Connections 
 which are automatically started should also be automatically  re-keyed.</DD>
<DT>pluto=yes</DT>
<DD>Whether to start <A href="#Pluto">Pluto</A> when ipsec startup is 
 done.
<BR> This parameter is optional and defaults to &quot;yes&quot; if not present. </DD>
<P>&quot;yes&quot; is strongly recommended for production use so that the keying 
 daemon (Pluto) will automatically re-key the connections regularly. 
 The ipsec-auto parameters ikelifetime, ipseclifetime and reykeywindow 
 give you control over frequency of rekeying.</P>
<DT>plutoload=&quot;reno-van reno-adam reno-nyc&quot;</DT>
<DD>List of tunnels (by name, e.g. fred-susan or reno-van in our 
 examples) to be loaded into Pluto's internal database at startup. In 
 this example, Pluto loads three tunnels into its database when it is 
 started. </DD>
<P>If plutoload is &quot;%search&quot;, Pluto will load any connections whose 
 description includes &quot;auto=add&quot; or &quot;auto=start&quot;.</P>
<DT>plutostart=&quot;reno-van reno-adam reno-nyc&quot;</DT>
<DD>List of tunnels to attempt to negotiate when Pluto is started. </DD>
<P>If plutostart is &quot;%search&quot;, Pluto will start any connections whose 
 description includes &quot;auto=start&quot;.</P>
<P>Note that, for a connection intended to be permanent, <STRONG>both 
 gateways should be set try to start</STRONG> the tunnel. This allows 
 quick recovery if either gateway is rebooted or has its IPSEC 
 restarted. If only one gateway is set to start the tunnel and the 
 other gateway restarts, the tunnel may not be rebuilt.</P>
<DT>plutowait=no</DT>
<DD>Controls whether Pluto waits for one tunnel to be established 
before  starting to negotiate the next. You might set this to &quot;yes&quot; 
<UL>
<LI>if your gateway is a very limited machine and you need to  conserve 
resources.</LI>
<LI>for debugging; the logs are clearer if only one connection is 
 brought up at a time</LI>
</UL>
 For a busy and resource-laden production gateway, you likely want &quot;no&quot; 
 so that connections are brought up in parallel and the whole process 
 takes less time.</DD>
</DL>
<P>The example assumes you are at the Reno office and will use IPSEC to 
 Vancouver, New York City and Amsterdam.</P>
<H3><A name="multitunnel">Multiple tunnels between the same two gateways</A>
</H3>
<P>Consider a pair of subnets, each with a security gateway, connected 
via  the Internet:</P>
<PRE>
         192.168.100.0/24           left subnet
              |
         192.168.100.1
         North Gateway
         101.101.101.101            left
              |
         101.101.101.1              left next hop
         [Internet]
         202.202.202.1              right next hop
              |
         202.202.202.202            right
         South gateway
         192.168.200.1
              |
         192.168.200.0/24           right subnet
</PRE>
<P>A tunnel specification such as:</P>
<PRE>
conn northnet-southnet
      left=101.101.101.101
      leftnexthop=101.101.101.1
      leftsubnet=192.168.100.0/24
      leftfirewall=yes
      right=202.202.202.202
      rightnexthop=202.202.202.1
      rightsubnet=192.168.200.0/24
      rightfirewall=yes
</PRE>
 will allow machines on the two subnets to talk to each other. You 
might test this by pinging from polarbear (192.168.100.7) to penguin 
(192.168.200.5). 
<P> However, <STRONG>this does not cover other traffic you might want 
to secure</STRONG>. To handle all the possibilities, you might also 
want these connection descriptions:</P>
<PRE>
conn northgate-southnet
      left=101.101.101.101
      leftnexthop=101.101.101.1
      right=202.202.202.202
      rightnexthop=202.202.202.1
      rightsubnet=192.168.200.0/24
      rightfirewall=yes

conn northnet-southgate
      left=101.101.101.101
      leftnexthop=101.101.101.1
      leftsubnet=192.168.100.0/24
      leftfirewall=yes
      right=202.202.202.202
      rightnexthop=202.202.202.1
</PRE>
<P> Without these, neither gateway can do IPSEC to the remote subnet. 
There is no IPSEC tunnel or eroute set up for the traffic.</P>
<P> In our example, with the non-routable 192.168.* addresses used, 
packets would simply be discarded. In a different configuration, with 
routable addresses for the remote subnet, <STRONG>they would be sent 
unencrypted</STRONG> since there would be no IPSEC eroute and there 
would be a normal IP route.</P>
<P> You might also want:</P>
<PRE>
conn northgate-southgate
      left=101.101.101.101
      leftnexthop=101.101.101.1
      right=202.202.202.202
      rightnexthop=202.202.202.1
</PRE>
<P> This is required if you want the two gateways to speak IPSEC to 
each other.</P>
<P> This requires a lot of duplication of details.  Judicious use of <VAR>
also=</VAR> and <VAR>include</VAR> can reduce this problem.</P>
<P> Note that, while FreeS/WAN supports all four tunnel types, not all 
implementations do. In particular, some versions of Windows 2000 and 
the freely downloadable version of PGP provide only &quot;client&quot; 
functionality. You cannot use them as gateways with a subnet behind 
them. To get that functionality, you must upgrade to Windows 2000 
server or the commercially available PGP products. </P>
<H4><A name="advroute">One tunnel plus advanced routing</A></H4>
 It is also possible to use the new routing features in 2.2 and later 
kernels to avoid most needs for multple tunnels. Here is one mailing 
list message on the topic: 
<PRE>
Subject: Re: linux-ipsec: IPSec packets not entering tunnel?
   Date: Mon, 20 Nov 2000
   From: Justin Guyett &lt;jfg@sonicity.com&gt;

On Mon, 20 Nov 2000, Claudia Schmeing wrote:

&gt; Right                                                         Left
&gt;                      &quot;home&quot;                &quot;office&quot;
&gt; 10.92.10.0/24 ---- 24.93.85.110 ========= 216.175.164.91 ---- 10.91.10.24/24
&gt;
&gt; I've created all four tunnels, and can ping to test each of them,
&gt; *except* homegate-officenet.

I keep wondering why people create all four tunnels.  Why not route
traffic generated from home to 10.91.10.24/24 out ipsec0 with iproute2?
And 99% of the time you don't need to access &quot;office&quot; directly, which
means you can eliminate all but the subnet&lt;-&gt;subnet connection.
</PRE>
 and FreeS/WAN technical lead Henry Spencer's comment: 
<PRE>
&gt; I keep wondering why people create all four tunnels.  Why not route
&gt; traffic generated from home to 10.91.10.24/24 out ipsec0 with iproute2?

This is feasible, given some iproute2 attention to source addresses, but
it isn't something we've documented yet... (partly because we're still
making some attempt to support 2.0.xx kernels, which can't do this, but
mostly because we haven't caught up with it yet).

&gt; And 99% of the time you don't need to access &quot;office&quot; directly, which
&gt; means you can eliminate all but the subnet&lt;-&gt;subnet connection.

Correct in principle, but people will keep trying to ping to or from the
gateways during testing, and sometimes they want to run services on the
gateway machines too.

</PRE>
<H3><A name="biggate">Many tunnels from a single gateway</A></H3>
<P> FreeS/WAN allows a single gateway machine to build tunnels to many 
others. There may, however, be some problems for large numbers as 
indicated in this message from the mailing list:</P>
<PRE>
Subject: Re: Maximum number of ipsec tunnels?
   Date: Tue, 18 Apr 2000
   From: &quot;John S. Denker&quot; &lt;jsd@research.att.com&gt;

Christopher Ferris wrote:

&gt;&gt; What are the maximum number ipsec tunnels FreeS/WAN can handle??

Henry Spencer wrote:

&gt;There is no particular limit.  Some of the setup procedures currently
&gt;scale poorly to large numbers of connections, but there are (clumsy)
&gt;workarounds for that now, and proper fixes are coming.

1) &quot;Large&quot; numbers means anything over 50 or so.  I routinely run boxes
with about 200 tunnels.  Once you get more than 50 or so, you need to worry
about several scalability issues:

a) You need to put a &quot;-&quot; sign in syslogd.conf, and rotate the logs daily
not weekly.

b) Processor load per tunnel is small unless the tunnel is not up, in which
case a new half-key gets generated every 90 seconds, which can add up if
you've got a lot of down tunnels.

c) There's other bits of lore you need when running a large number of
tunnels.  For instance, systematically keeping the .conf file free of
conflicts requires tools that aren't shipped with the standard freeswan
package.

d) The pluto startup behavior is quadratic.  With 200 tunnels, this eats up
several minutes at every restart.   I'm told fixes are coming soon.

2) Other than item (1b), the CPU load depends mainly on the size of the
pipe attached, not on the number of tunnels.
</PRE>
<P> It is worth noting that item (1b) applies only to repeated attempts 
to re-key a data connection (IPSEC SA, Phase 2) over an established 
keying connection (ISAKMP SA, Phase 1). There are two ways to reduce 
this overhead using settings in <A href="manpage.d#ipsec.conf.5.html">
ipsec.conf(5)</A>: </P>
<UL>
<LI>set <VAR>keyingtries</VAR> to some small value to limit repetitions </LI>
<LI>set <VAR>keylife</VAR> to a short time so that a failing data 
connection  will be cleaned up when the keying connection is reset. </LI>
</UL>
<P> The overheads for establishing keying connections (ISAKMP SAs, 
Phase 1) are lower because for these Pluto does not perform expensive 
operations before receiving a reply from the peer.</P>
<H3><A name="extruded">Extruded Subnets</A></H3>
<P>What we call <A href="#extruded">extruded subnets</A> are a special 
case  of <A href="#VPN">VPNs</A>.</P>
<P>If your buddy has some unused IP addresses, in his subnet far off at 
the  other side of the Internet, he can loan them to you... provided 
that the  connection between you and him is fast enough to carry all 
the traffic  between your machines and the rest of the Internet.  In 
effect, he  &quot;extrudes&quot; a part of his address space over the network to 
you, with your  Internet traffic appearing to originate from behind his 
Internet  gateway.</P>
<P>Suppose your friend has a.b.c.0/24 and wants to give you 
a.b.c.240/28.  The initial situation is:</P>
<PRE>    subnet           gateway          Internet
  a.b.c.0/24    a.b.c.1    p.q.r.s</PRE>
 where anything from the Internet destined for any machine in 
a.b.c.0/24 is  routed via p.q.r.s and that gateway knows what to do 
from there. 
<P> Of course it is quite normal for various smaller subnets to exist 
behind your friend's gateway. For example, your friend's company might 
have a.b.c.16/28=development, a.b.c.32/28=marketing and so on. The 
Internet neither knows not cares about this; it just delivers packets 
to the p.q.r.s and lets the gateway do whatever needs to be done from 
there. </P>
<P> What we want to do is take a subnet, perhaps a.b.c.240/28, out of 
your friend's physical location <EM>while still having your friend's 
gateway route to it</EM>. As far as the  Internet is concerned, you 
remain behind that gateway.</P>
<PRE>    subnet           gateway          Internet       your gate  extruded

  a.b.c.0/24   a.b.c.1     p.q.r.s              d.e.f.g         a.b.c.240/28                

                           ========== tunnel ==========</PRE>
<P>The extruded addresses have to be a complete subnet.</P>
<P>In our example, the friend's security gateway is also his Internet 
 gateway, but this is not necessary. As long as all traffic from the 
Internet  to his addresses passes through the Internet gate, the 
security gate could  be a machine behind that. The IG would need to 
route all traffic for the  extruded subnet to the SG, and the SG could 
handle the rest.</P>
<P>First, configure your subnet using the extruded addresses.  Your 
security  gateway's interface to your subnet needs to have an extruded 
address  (possibly using a Linux <A href="#virtual">virtual interface</A>
, if it also  has to have a different address). Your gateway needs to 
have a route to the  extruded subnet, pointing to that interface.  The 
other machines at your  site need to have addresses in that subnet, and 
default routes pointing to  your gateway.</P>
<P>If any of your friend's machines need to talk to the extruded 
subnet, <EM> they</EM> need to have a route for the extruded subnet, 
pointing at his  gateway.</P>
<P>Then set up an IPSEC subnet-to-subnet tunnel between your gateway 
and  his, with your subnet specified as the extruded subnet, and his 
subnet  specified as &quot;0.0.0.0/0&quot;.  Do it with manual keying first for 
testing, and  then with automatic keying for production use.</P>
<P>The tunnel description should be:</P>
<PRE>
conn extruded
        left=p.q.r.s
        leftsubnet=0.0.0.0/0
        right=d.e.f.g
        rightsubnet=a.b.c.0/28
</PRE>
<P> If either side was doing firewalling for the extruded subnet before 
the  IPSEC connection is set up, ipsec_manual and ipsec_auto need to 
know about  that (via the {left|right}firewall parameters) so that it 
can be overridden  for the duration of the connection.</P>
<P> And it all just works.  Your SG routes traffic for 0.0.0.0/0 -- 
that is,  the whole Internet -- through the tunnel to his SG, which 
then sends it  onward as if it came from his subnet.  When traffic for 
the extruded subnet  arrives at his SG, it gets sent through the tunnel 
to your SG, which passes  it to the right machine.</P>
<P> Remember that when ipsec_manual or ipsec_auto takes a connection 
down, it <EM> does not undo the route</EM> it made for that connection. 
This lets you  take a connection down and bring up a new one, or a 
modified version of the  old one, without having to rebuild the route 
it uses and without any risk of  packets which should use IPSEC 
accidentally going out in the clear. Because  the route always points 
into KLIPS, the packets will always go there.  Because KLIPS 
temporarily has no idea what to do with them (no eroute for  them), 
they will be discarded.</P>
<P>If you <EM>do</EM> want to take the route down, this is what the 
 &quot;unroute&quot; operation in manual and auto is for.  Just do an unroute 
after  doing the down.</P>
<P>Note that the route for a connection may have replaced an existing 
 non-IPSEC route. Nothing in Linux FreeS/WAN will put that pre-IPSEC 
route  back. If you need it back, you have to create it with the route 
command.</P>
<H3><A name="roadvirt">Road Warrior with virtual IP address</A></H3>
<P> Here is a mailing list message about another way to configure for 
road warrior support:</P>
<PRE>
Subject: Re: linux-ipsec: understanding the vpn
   Date: Thu, 28 Oct 1999 10:43:22 -0400
   From: Irving Reid &lt;irving@nevex.com&gt;

&gt;  local-------linux------internet------mobile
&gt;  LAN        box                         user
&gt;  ...

&gt;  now when the mobile user connects to the linux box
&gt;  it is given a virtual IP address, i have configured it to
&gt;  be in the 10.x.x.x range. mobile user and linux box 
&gt;  have a tunnel between them with these IP addresses.

&gt;   Uptil this all is fine.

If it is possible to configure your mobile client software *not* to
use a virtual IP address, that will make your life easier. It is easier
to configure FreeS/WAN to use the actual address the mobile user gets
from its ISP.

Unfortunately, some Windows clients don't let you choose.

&gt;  what i would like to know is that how does the mobile
&gt;  user communicate with other computers on the local
&gt;  LAN , of course with the vpn ?

&gt;   what IP address should the local LAN 
&gt;  computers have ? I guess their default gateway 
&gt;  should be the linux box ? and does the linux box need
&gt;  to be a 2 NIC card box or one is fine.

As someone else stated, yes, the Linux box would usually be the default
IP gateway for the local lan.

However...

If you mobile user has software that *must* use a virtual IP address,
the whole picture changes. Nobody has put much effort into getting
FreeS/WAN to play well in this environment, but here's a sketch of one
approach:

Local Lan 1.0.0.0/24
    |
    +- Linux FreeS/WAN 1.0.0.2
    |
    | 1.0.0.1
 Router
    | 2.0.0.1
    |
Internet
    |
    | 3.0.0.1
Mobile User
      Virtual Address: 1.0.0.3

Note that the Local Lan network (1.0.0.x) can be registered, routable
addresses.

Now, the Mobile User sets up an IPSec security association with the
Linux box (1.0.0.2); it should ESP encapsulate all traffic to the
network 1.0.0.x **EXCEPT** UDP port 500. 500/udp is required for the key
negotiation, which needs to work outside of the IPSec tunnel.

On the Linux side, there's a bunch of stuff you need to do by hand (for
now). FreeS/WAN should correctly handle setting up the IPSec SA and
routes, but I haven't tested it so this may not work...

The FreeS/WAN conn should look like:

conn mobile
        right=1.0.0.2
        rightsubnet=1.0.0.0/24
        rightnexthop=1.0.0.1
        left=0.0.0.0  # The infamous &quot;road warrior&quot;
        leftsubnet=1.0.0.3/32

Note that the left subnet contains *only* the remote host's virtual
address.

Hopefully the routing table on the FreeS/WAN box ends up looking like
this:

% netstat -rn
Kernel IP routing table
Destination     Gateway      Genmask         Flags   MSS Window  irtt Iface
1.0.0.0         0.0.0.0      255.255.255.0   U      1500 0          0 eth0
127.0.0.0       0.0.0.0      255.0.0.0       U      3584 0          0 lo
0.0.0.0         1.0.0.1      0.0.0.0         UG     1500 0          0 eth0
1.0.0.3         1.0.0.1      255.255.255.255 UG     1433 0          0 ipsec0

So, if anybody sends a packet for 1.0.0.3 to the Linux box, it should
get bundled up and sent through the tunnel. To get the packets for
1.0.0.3 to the Linux box in the first place, you need to use &quot;proxy
ARP&quot;.

How this works is: when a host or router on the local Ethernet segment
wants to send a packet to 1.0.0.3, it sends out an Ethernet level
broadcast &quot;ARP request&quot;. If 1.0.0.3 was on the local LAN, it would
reply, saying &quot;send IP packets for 1.0.0.3 to my Ethernet address&quot;.

Instead, you need to set up the Linux box so that _it_ answers ARP
requests for 1.0.0.3, even though that isn't its IP address. That
convinces everyone else on the lan to send 1.0.0.3 packets to the Linux
box, where the usual FreeS/WAN processing and routing take over.

% arp -i eth0 -s 1.0.0.3 -D eth0 pub

This says, if you see an ARP request on interface eth0 asking for
1.0.0.3, respond with the Ethernet address of interface eth0.

Now, as I said at the very beginning, if it is *at all* possible to
configure your client *not* to use the virtual IP address, you can avoid
this whole mess.</PRE>
<H3><A name="dynamic">Dynamic Network Interfaces</A></H3>
<P>Sometimes you have to cope with a situation where the network 
 interface(s) aren't all there at boot. The common example is notebooks 
with  PCMCIA.</P>
<H4><A name="basicdyn">Basics</A></H4>
<P>The key issue here is that the <VAR>config setup</VAR> section of 
the <VAR> /etc/ipsec.conf</VAR> configuration file lists the connection 
between  ipsecN and hardware interfaces, in the <VAR>interfaces=</VAR>
 variable. At  any time when <VAR>ipsec setup start</VAR> or <VAR>ipsec 
setup restart</VAR> is run this variable <STRONG>must</STRONG>
 correspond to the current real  situation. More precisely, it <STRONG>
must not</STRONG> mention any hardware  interfaces which don't 
currently exist. The difficulty is that an <VAR>ipsec  setup start</VAR>
 command is normally run at boot time so interfaces that  are not up 
then are mis-handled.</P>
<H4><A name="bootdyn">Boot Time</A></H4>
<P> Normally, an <VAR>ipsec setup start</VAR> is run at boot time. 
However, if the hardware situation at boot time is uncertain, one of 
two things must be done.</P>
<UL>
<LI>One possibility is simply not to have IPSEC brought up at boot 
time.  To do this: </LI>
<PRE>        chkconfig --level 2345 ipsec off</PRE>
 That's for modern Red Hats or other Linuxes with chkconfig. Systems 
 which lack this will require fiddling with symlinks in /etc/rc.d/rc?.d 
 or the equivalent.
<LI>Another possibility is to bring IPSEC up with no interfaces, which 
is  less aesthetically satisfying but simpler.  Just put </LI>
<PRE>
        interfaces=
</PRE>
 in the configuration file.  KLIPS and Pluto will be started, but won't 
 do anything.</UL>
<H4><A name="changedyn">Change Time</A></H4>
<P>When the hardware *is* in place, IPSEC has to be made aware of it. 
 Someday there may be a nice way to do this.</P>
<P>Right now, the way to do it is to fix the <VAR>/etc/ipsec.conf</VAR>
 file  appropriately, so <VAR>interfaces</VAR> reflects the new 
situation, and then  restart the IPSEC subsystem. This does break any 
existing IPSEC  connections.</P>
<P>If IPSEC wasn't brought up at boot time, do</P>
<PRE>        ipsec setup start</PRE>
 while if it was, do 
<PRE>        ipsec setup restart</PRE>
 which won't be as quick. 
<P>If some of the hardware is to be taken out, before doing that, amend 
the  configuration file so interfaces no longer includes it, and do</P>
<PRE>        ipsec setup restart</PRE>
<P>Again, this breaks any existing connections.</P>
<H3><A name="unencrypted">Unencrypted tunnels</A></H3>
<P> Sometimes you might want to create a tunnel without encryption. 
Often this is a bad idea, even if you have some data which need not be 
private. See this <A href="#traffic.resist">discussion</A>. </P>
<P> The IPSEC protocols provide two ways to do build such tunnels: </P>
<DL>
<DT>using ESP with null encryption </DT>
<DD>not supported by FreeS/WAN </DD>
<DT>using <A href="#AH">AH</A> without <A href="#ESP">ESP</A></DT>
<DD>supported for manually keyed connections </DD>
<DD>possible with explicit commands via <A href="manpage.d/ipsec_whack.8.html">
ipsec_whack(8)</A> (see this <A href="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2001/02/msg00190.html">
list message</A>) </DD>
<DD>not supported in the <A href="manpage.d/ipsec_auto.8.html">
ipsec_auto(8)</A> scripts. </DD>
</DL>
 One situation in which this comes up is when otherwise some data would 
be encrypted twice. Alice wants a secure tunnel from her machine to 
Bob's. Since she's behind one security gateway and he's behind another, 
part of the tunnel that they build passes through the tunnel that their 
site admins have built between the gateways. All of Alice and Bob's 
messages are encrypted twice.
<P> There are several ways to handle this.</P>
<UL>
<LI>Just accept the overhead of double encryption. The site admins 
might  choose this if any of the following apply: 
<UL>
<LI>policy says encrypt everything (usually, it should) </LI>
<LI>they don't entirely trust Alice and Bob (usually, if they don't 
have to, they  shouldn't) </LI>
<LI>if they don't feel the saved cycles are worth the time they'd need 
to  build a non-encrypted tunnel for Alice and Bob's packets (often, 
they aren't) </LI>
</UL>
</LI>
<LI>Use a plain IP-in-IP tunnel. These are not well documented. A good 
 starting point is in the Linux kernel source tree, in 
 /usr/src/linux/drivers/net/README.tunnel.</LI>
<LI>Use a manually-keyed AH-only tunnel.</LI>
</UL>
<P> Note that if Alice and Bob want end-to-end security, they must 
build a tunnel end-to-end between their machines or use some other 
end-to-end tool such as PGP or SSL that suits their data. The only 
question is whether the admins build some special unencrypted tunnel 
for those already-encrypted packets. </P>
<HR>
<H1><A name="manpages">FreeS/WAN manual pages</A></H1>
<P> The various components of Linux FreeS/WAN are of course documented 
in standard Unix manual pages, accessible via the man(1) command.</P>
<P> Links here take you to an HTML version of the man pages.</P>
<H2><A name="man.file">Files</A></H2>
<DL>
<DT><A href="manpage.d/ipsec.conf.5.html">ipsec.conf(5)</A></DT>
<DD>IPSEC configuration and connections</DD>
<DT><A href="manpage.d/ipsec.secrets.5.html">ipsec.secrets(5)</A></DT>
<DD>preshared secrets for IKE/IPsec authentication</DD>
</DL>
<P> These files are also discussed in the <A href="config.html">
configuration</A> section.</P>
<H2><A name="man.command">Commands</A></H2>
<P> Many users will never give most of the FreeS/WAN commands directly. 
Configure the files listed above correctly and everything should be 
automatic.</P>
<P> One exception is:</P>
<DL>
<DT><A href="manpage.d/ipsec_rsasigkey.8.html">ipsec_rsasigkey(8)</A></DT>
<DD>generate <A href="#RSA">RSA</A> keys for use in Pluto authentication</DD>
</DL>
<P>Note that:</P>
<UL>
<LI>These keys are for <STRONG>authentication only</STRONG>. They are <STRONG>
 not secure for encryption</STRONG>.</LI>
<LI>The utility uses random(4) as a source of <A href="#random">random 
 numbers</A>. This may block for some time if there is not enough 
 activity on the machine to provide the required entropy. You may want 
to  give it some bogus activity such as random mouse movements or some 
 command such as <TT>du /usr &gt; dev/null </TT></LI>
</UL>
<P>The following commands are fairly likely to be used, if only for 
testing and status checks:</P>
<DL>
<DT><A href="manpage.d/ipsec.8.html">ipsec(8)</A></DT>
<DD>invoke IPSEC utilities</DD>
<DT><A href="manpage.d/ipsec_setup.8.html">ipsec_setup(8)</A></DT>
<DD>control IPSEC subsystem</DD>
<DT><A href="manpage.d/ipsec_auto.8.html">ipsec_auto(8)</A></DT>
<DD>control automatically-keyed IPSEC connections</DD>
<DT><A href="manpage.d/ipsec_manual.8.html">ipsec_manual(8)</A></DT>
<DD>take manually-keyed IPSEC connections up and down</DD>
<DT><A href="manpage.d/ipsec_ranbits.8.html">ipsec_ranbits(8)</A></DT>
<DD>generate random bits in ASCII form</DD>
<DT><A href="manpage.d/ipsec_look.8.html">ipsec_look(8)</A></DT>
<DD>show minimal debugging information</DD>
<DT><A href="manpage.d/ipsec_barf.8.html">ipsec_barf(8)</A></DT>
<DD>spew out collected IPSEC debugging information</DD>
</DL>
<P>The lower-level utilities listed below are normally invoked via 
scripts listed above, but they can also be used directly when required.</P>
<DL>
<DT><A href="manpage.d/ipsec_eroute.8.html">ipsec_eroute(8)</A></DT>
<DD>manipulate IPSEC extended routing tables</DD>
<DT><A href="manpage.d/ipsec_klipsdebug.8.html">ipsec_klipsdebug(8)</A></DT>
<DD>set Klips (kernel IPSEC support) debug features and level</DD>
<DT><A href="manpage.d/ipsec_pluto.8.html">ipsec_pluto(8)</A></DT>
<DD>IPsec IKE keying daemon</DD>
<DT><A href="manpage.d/ipsec_spi.8.html">ipsec_spi(8)</A></DT>
<DD>manage IPSEC Security Associations</DD>
<DT><A href="manpage.d/ipsec_spigrp.8.html">ipsec_spigrp(8)</A></DT>
<DD>group/ungroup IPSEC Security Associations</DD>
<DT><A href="manpage.d/ipsec_tncfg.8.html">ipsec_tncfg(8)</A></DT>
<DD>associate IPSEC virtual interface with real interface</DD>
<DT><A href="manpage.d/ipsec_whack.8.html">ipsec_whack(8)</A></DT>
<DD>control interface for IPSEC keying daemon</DD>
</DL>
<H2><A name="man.lib">Library routines</A></H2>
<DL>
<DT><A href="manpage.d/ipsec_atoaddr.3.html">ipsec_atoaddr(3)</A></DT>
<DT><A href="manpage.d/ipsec_addrtoa.3.html">ipsec_addrtoa(3)</A></DT>
<DD>convert Internet addresses to and from ASCII</DD>
<DT><A href="manpage.d/ipsec_atosubnet.3.html">ipsec_atosubnet(3)</A></DT>
<DT><A href="manpage.d/ipsec_subnettoa.3.html">ipsec_subnettoa(3)</A></DT>
<DD>convert subnet/mask ASCII form to and from addresses</DD>
<DT><A href="manpage.d/ipsec_atoasr.3.html">ipsec_atoasr(3)</A></DT>
<DD>convert ASCII to Internet address, subnet, or range</DD>
<DT><A href="manpage.d/ipsec_rangetoa.3.html">ipsec_rangetoa(3)</A></DT>
<DD>convert Internet address range to ASCII</DD>
<DT>ipsec_atodata(3)</DT>
<DT><A href="manpage.d/ipsec_datatoa.3.html">ipsec_datatoa(3)</A></DT>
<DD>convert binary data from and to ASCII formats</DD>
<DT><A href="manpage.d/ipsec_atosa.3.html">ipsec_atosa(3)</A></DT>
<DT><A href="manpage.d/ipsec_satoa.3.html">ipsec_satoa(3)</A></DT>
<DD>convert IPSEC Security Association IDs to and from ASCII</DD>
<DT><A href="manpage.d/ipsec_atoul.3.html">ipsec_atoul(3)</A></DT>
<DT><A href="manpage.d/ipsec_ultoa.3.html">ipsec_ultoa(3)</A></DT>
<DD>convert unsigned-long numbers to and from ASCII</DD>
<DT><A href="manpage.d/ipsec_goodmask.3.html">ipsec_goodmask(3)</A></DT>
<DD>is this Internet subnet mask a valid one?</DD>
<DT><A href="manpage.d/ipsec_masktobits.3.html">ipsec_masktobits(3)</A></DT>
<DD>convert Internet subnet mask to bit count</DD>
<DT><A href="manpage.d/ipsec_bitstomask.3.html">ipsec_bitstomask(3)</A></DT>
<DD>convert bit count to Internet subnet mask</DD>
<DT><A href="manpage.d/ipsec_optionsfrom.3.html">ipsec_optionsfrom(3)</A>
</DT>
<DD>read additional ``command-line'' options from file</DD>
<DT><A href="manpage.d/ipsec_subnetof.3.html">ipsec_subnetof(3)</A></DT>
<DD>given Internet address and subnet mask, return subnet number</DD>
<DT><A href="manpage.d/ipsec_hostof.3.html">ipsec_hostof(3)</A></DT>
<DD>given Internet address and subnet mask, return host part</DD>
<DT><A href="manpage.d/ipsec_broadcastof.3.html">ipsec_broadcastof(3)</A>
</DT>
<DD>given Internet address and subnet mask, return broadcast address</DD>
</DL>
<HR>
<H1><A name="firewall">FreeS/WAN and firewalls</A></H1>
<P> FreeS/WAN, or other IPSEC implementations, frequently run on 
gateway  machines, the same machines running firewall or packet 
filtering code. This  document discusses the relation between the two.</P>
<H2><A name="packets">IPSEC packets</A></H2>
<P>IPSEC uses three main types of packet:</P>
<DL>
<DT><A href="#IKE">IKE</A> uses <STRONG>the UDP protocol and port  500</STRONG>
.</DT>
<DD>Unless you are using only (less secure, not recommended) manual 
 keying, you need IKE to negotiate connection parameters, acceptable 
 algorithms, key sizes and key setup. IKE handles everything required 
 to set up, rekey, repair or tear down IPSEC connections.</DD>
<DT><A href="#ESP">ESP</A> is <STRONG>protocol number 50</STRONG></DT>
<DD>This is required for encrypted connections.</DD>
<DT><A href="#AH">AH</A> is <STRONG>protocol number 51</STRONG></DT>
<DD>This can be used where only authentication, not encryption, is 
 required. That can also be done with ESP and null encryption.</DD>
</DL>
<P> All of those packets should have appropriate IPSEC gateway 
addresses in both the to and from IP header fields. Firewall rules can 
check this if you wish, though it is not strictly necessary. This is 
discussed in more detail <A href="#unknowngate">later</A>. </P>
<P> IPSEC processing of incoming packets authenticates them then 
removes the ESP or AH header and decrypts if necessary. Successful 
processing exposes an inner packet which is then delivered back to the 
firewall machinery, marked as having arrived on an <VAR>ipsec[0-3]</VAR>
 interface. Firewall rules can use that interface label to distinguish 
these packets from unencrypted packets which are labelled with the 
physical interface they arrived on (or perhaps with a non-IPSEC virtual 
interface such as <VAR>ppp0</VAR>).</P>
<P> One of our users sent a mailing list message with a <A href="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/12/msg00006.html">
diagram</A> of the packet flow. </P>
<H3><A name="noport">ESP and AH do not have ports</A></H3>
<P> Some protocols, such as TCP and UDP, have the notion of ports. 
Others protocols, including ESP and AH, do not. Quite a few IPSEC 
newcomers have  become confused on this point. There are no ports <EM>in</EM>
 the ESP or AH  protocols, and no ports used <EM>for</EM> them. For 
these protocols, <EM>the  idea of ports is completely irrelevant</EM>.</P>
<H3><A name="header">Header layout</A></H3>
<P>The protocol numbers for ESP or AH are used in the 'next header' 
field of  the IP header. On most non-IPSEC packets, that field would 
have one of:</P>
<UL>
<LI>1 for ICMP</LI>
<LI>4 for IP-in-IP encapsulation</LI>
<LI>6 for TCP</LI>
<LI>17 for UDP</LI>
<LI>... or one of about 100 other possibilities listed by <A href="http://www.isi.edu/in-notes/iana/assignments/protocol-numbers">
IANA</A></LI>
</UL>
<P>Each header in the sequence tells what the next header will be. 
IPSEC  adds headers for ESP or AH near the beginning of the sequence. 
The original  headers are kept and the 'next header' fields adjusted so 
that all headers  can be correctly interpreted.</P>
<P>For example, using <STRONG>[</STRONG><STRONG> ]</STRONG> to indicate 
data  protected by ESP and unintelligible to an eavesdropper between 
the  gateways:</P>
<UL>
<LI>a simple packet might have only IP and TCP headers with: 
<UL>
<LI>IP header says next header --&gt; TCP</LI>
<LI>TCP header port number --&gt; which process to send data to</LI>
<LI>data</LI>
</UL>
</LI>
<LI>with ESP <A href="#transport">transport mode</A> encapsulation, 
that  packet would have: 
<UL>
<LI>IP header says next header --&gt; ESP</LI>
<LI>ESP header <STRONG>[</STRONG> says next --&gt; TCP</LI>
<LI>TCP header port number --&gt; which process to send data to</LI>
<LI>data <STRONG>]</STRONG></LI>
</UL>
 Note that the IP header is outside ESP protection, visible to an 
 attacker, and that the final destination must be the gateway.</LI>
<LI>with ESP in <A href="#tunnel">tunnel mode</A>, we might have: 
<UL>
<LI>IP header says next header --&gt; ESP</LI>
<LI>ESP header <STRONG>[</STRONG> says next --&gt; IP</LI>
<LI>IP header says next header --&gt; TCP</LI>
<LI>TCP header port number --&gt; which process to send data to</LI>
<LI>data <STRONG>]</STRONG></LI>
</UL>
 Here the inner IP header is protected by ESP, unreadable by an 
attacker.  Also, the inner header can have a different IP address than 
the outer IP  header, so the decrypted packet can be routed from the 
IPSEC gateway to  a final destination which may be another machine.</LI>
</UL>
<P> Part of the ESP header itself is encrypted, which is why the <STRONG>
[</STRONG> indicating protected data appears in the middle of some 
lines above. The next header field of the ESP header is protected. This 
makes <A href="#traffic">traffic analysis</A> more difficult. The next 
header field would tell an eavesdropper whether your packet was UDP to 
the gateway, TCP to the gateway, or encapsulated IP. It is better not 
to give this information away. A clever attacker may deduce some of it 
from the pattern of packet sizes and timings, but we need not make it 
easy. </P>
<P> IPSEC allows various combinations of these to match local policies, 
including combinations that use both AH and ESP headers or that nest 
multiple copies of these headers.</P>
<P> For example, suppose my employer has an IPSEC VPN running between 
two offices so all packets travelling between the gateways for those 
offices are encrypted. If gateway policies allow it (The admins could 
block UDP 500 and protocols 50 and 51 to disallow it), I can build an 
IPSEC tunnel from my desktop to a machine in some remote office. Those 
packets will have one ESP header throughout their life, for my 
end-to-end tunnel. For part of the route, however, they will also have 
another ESP layer for the corporate VPN's encapsulation. The whole 
header scheme for a packet on the Internet might be:</P>
<UL>
<LI>IP header (with gateway address) says next header --&gt; ESP</LI>
<LI>ESP header <STRONG>[</STRONG> says next --&gt; IP</LI>
<LI>IP header (with receiving machine address) says next header --&gt;  ESP</LI>
<LI>ESP header <STRONG>[</STRONG> says next --&gt; TCP</LI>
<LI>TCP header port number --&gt; which process to send data to</LI>
<LI>data <STRONG>]]</STRONG></LI>
</UL>
<P> The first ESP (outermost) header is for the corporate VPN. The 
inner ESP header is for the secure machine-to-machine link.</P>
<H2><A name="filters">Filtering rules for IPSEC packets</A></H2>
<P> As a consequence of the above, an IPSEC gateway should have packet 
filters that allow the following protocols when talking to other IPSEC 
gateways:</P>
<UL>
<LI>UDP port 500</LI>
<LI>protocol 50 if you use ESP encryption and/or authentication (the 
 typical case)</LI>
<LI>protocol 51 if you use AH packet-level authentication</LI>
</UL>
<P> Your gateway and the other IPSEC gateways it communicates with must 
be able to exchange these packets for IPSEC to work. Firewall rules 
must allow UDP 500 and at least one of AH or ESP on the interface that 
communicates with the other gateway. </P>
<H3><A name="through">IPSEC <EM>through</EM></A> the gateway</H3>
<P> The preceeding paragraph deals with packets <EM>addressed to or 
sent from  your gateway</EM>. It is a separate policy decision whether 
to permit such  packets to pass <EM>through</EM> the gateway so that 
client machines can  build end-to-end IPSEC tunnels of their own. This 
may not be practical if  you are using <A href="#NAT">NAT (IP 
masquerade)</A> on your gateway, and  may conflict with some corporate 
security policies. Other than that, it is  likely a good idea.</P>
<H3><A name="ipsec_only">Preventing non-IPSEC traffic</A></H3>
 You can of course also filter <EM>everything but</EM> UDP port 500 and 
ESP or AH to restrict traffic to IPSEC only, either for anyone 
communicating with your host or just for specific partners. 
<H3><A name="unknowngate">Filtering packets from unknown gateways</A></H3>
<P> It is possible to use firewall rules to restrict UDP 500, ESP and 
AH packets so that these packets are accepted only from known gateways. 
This is not strictly necessary since FreeS/WAN will discard packets 
from unknown gateways. You might, however, want to do it for any of a 
number of reasons. For example:</P>
<UL>
<LI>Arguably, &quot;belt and suspenders&quot; is the sensible approach to 
security.  If you can block a potential attack in two ways, use both. 
The only  question is whether to look for a third way after 
implementing the first  two.</LI>
<LI>Some admins may prefer to use the firewall code this way because 
they  prefer firewall logging to FreeS/WAN's logging.</LI>
<LI>You may need it to implement your security policy. Consider an 
 employee working at home, and a policy that says traffic from the home 
 system to the Internet at large must go first via IPSEC to the 
corporate  LAN and then out to the Internet via the corporate firewall. 
One way to  do that is to make <VAR>ipsec0</VAR> the default route on 
the home  gateway and provide exceptions only for UDP 500 and ESP to 
the corporate  gateway. Everything else is then routed via the tunnel 
to the corporate  gateway.</LI>
</UL>
<P>It is not possible to use only static firewall rules for this 
filtering  if you do not know the other gateways' IP addresses in 
advance, for example  if you have &quot;road warriors&quot; who may connect from 
a different address each  time or if want to do <A href="#carpediem">
opportunistic encryption</A> to  arbitrary gateways. In these cases, 
you can accept UDP 500 IKE packets from  anywhere, then use the <A href="#updown">
updown</A> script feature of <A href="manpage.d/ipsec_pluto.8.html">
pluto(8)</A> to dynamically adjust  firewalling for each negotiated 
tunnel.</P>
<P>Firewall packet filtering does not much reduce the risk of a <A href="#DoS">
denial of service attack</A> on FreeS/WAN. The firewall can drop 
 packets from unknown gateways, but KLIPS does that quite efficiently 
anyway,  so you gain little. The firewall cannot drop otherwise 
legitmate packets  that fail KLIPS authentication, so it cannot protect 
against an attack  designed to exhaust resources by making FreeS/WAN 
perform many expensive  authentication operations.</P>
<P>In summary, firewall filtering of IPSEC packets from unknown 
gateways is  possible but not strictly necessary.</P>
<H2><A name="otherfilter">Other packet filters</A></H2>
<P>When the IPSEC gateway is also acting as your firewall, other packet 
 filtering rules will be in play. In general, those are outside the 
scope of  this document. See our <A href="#firewall">Linux firewall 
links</A> for  information. There are a few types of packet, however, 
which can affect the  operation of FreeS/WAN or of diagnostic tools 
commonly used with it. These  are discussed below.</P>
<H3><A name="ICMP">ICMP filtering</A></H3>
<P><A href="#icmp">ICMP</A> is the <STRONG>I</STRONG>nternet <STRONG>C</STRONG>
ontrol <STRONG>M</STRONG>essage <STRONG>P</STRONG>rotocol. It is used 
for messages between IP implementations themselves, whereas IP used is 
used between the clients of those implementations. ICMP is, 
unsurprisingly, used for control messages. For example, it is used to 
notify a sender that a desination is not reachable, or to tell a router 
to reroute certain packets elsewhere. </P>
<P> ICMP handling is tricky for firewalls. </P>
<UL>
<LI>You definitely want some ICMP messages to get through; things won't 
work without them. For example, your clients need to know if some 
destination they ask for is unreachable. </LI>
<LI>On the other hand, you do equally definitely do not want untrusted 
folk sending arbitrary control messages to your machines. Imagine what 
someone moderately clever and moderately malicious could do to you, 
given control of your network's routing. </LI>
</UL>
<P>ICMP does not use ports. Messages are distinguished by a &quot;message 
type&quot;  field and, for some types, by an additional &quot;code&quot; field. The 
definitive  list of types and codes is on the <A href="http://www.isi.edu/in-notes/iana/assignments/icmp-parameters">
IANA</A> site.</P>
<P>One expert uses this definition for ICMP message types to be dropped 
at  the firewall.</P>
<PRE>
# ICMP types which lack socially redeeming value.
#  5     Redirect
#  9     Router Advertisement
# 10     Router Selection
# 15     Information Request
# 16     Information Reply
# 17     Address Mask Request
# 18     Address Mask Reply

badicmp='5 9 10 15 16 17 18'
</PRE>
<P> A more conservative approach would be to make a list of allowed 
types and drop everything else.</P>
<P>Whichever way you do it, your ICMP filtering rules on a FreeS/WAN 
gateway  should allow at least the following ICMP packet types:</P>
<DL>
<DT>echo (type 8)</DT>
<DD>
<DT>echo reply (type 0)</DT>
<DD>These are used by ping(1). We recommend allowing both types through 
 the tunnel and to or from your gateway's external interface, since 
 ping(1) is an essential testing tool. </DD>
<P>It is fairly common for firewalls to drop ICMP echo packets 
 addressed to machines behind the firewall. If that is your policy, 
 please create an exception for such packets arriving via an IPSEC 
 tunnel, at least during intial testing of those tunnels.</P>
<DT>destination unreachable (type 3)</DT>
<DD>This is used, with code 4 (Fragmentation Needed and Don't Fragment 
 was Set) in the code field, to control <A href="#pathMTU">path MTU 
 discovery</A>. Since IPSEC processing adds headers, enlarges packets 
 and may cause fragmentation, an IPSEC gateway should be able to send 
 and receive these ICMP messages <STRONG>on both inside and outside 
 interfaces</STRONG>.</DD>
</DL>
<H3><A name="traceroute">UDP packets for traceroute</A></H3>
<P> The traceroute(1) utility uses UDP port numbers from 33434 to 
approximately 33633. Generally, these should be allowed through for 
troubleshooting.</P>
<P> Some firewalls drop these packets to prevent outsiders exploring 
the protected network with traceroute(1). If that is your policy, 
consider creating an exception for such packets arriving via an IPSEC 
tunnel, at least during intial testing of those tunnels.</P>
<H3><A name="l2tp">UDP for L2TP</A></H3>
 Windows 2000 does, and products designed for compatibility with it 
may, build <A href="#l2tp">L2TP</A> tunnels over IPSEC connections. 
<P> For this to work, you must allow UDP protocol 1701 packets coming 
out of your tunnels to continue to their destination. You can, and 
probably should, block such packets to or from your external 
interfaces, but allow them from <VAR>ipsec0</VAR>. </P>
<P> See also our Windows 2000 <A href="#win2k">interoperation discussion</A>
. </P>
<H2><A name="NAT">IPSEC and NAT</A></H2>
<P><A href="#NAT"> Network Address Translation</A>, also known as IP 
masquerading, is a method of allocating IP addresses dynamically, 
typically in circumstances where the total number of machines which 
need to access the Internet exceeds the supply of IP addresses.</P>
<P> Any attempt to perform NAT operations on IPSEC packets <EM>between 
the  IPSEC gateways</EM> creates a basic conflict:</P>
<UL>
<LI>IPSEC wants to authenticate packets and ensure they are unaltered 
on a  gateway-to-gateway basis</LI>
<LI>NAT rewrites packet headers as they go by</LI>
<LI>IPSEC authentication fails if packets are rewritten anywhere 
between  the IPSEC gateways</LI>
</UL>
 For <A href="#AH">AH</A>, which authenticates parts of the packet 
header including source and destination IP addresses, this is fatal. If 
NAT changes those fields, AH authentication fails. 
<P> For <A href="#IKE">IKE</A> and <A href="#ESP">ESP</A> it is not 
necessarily fatal, but is certainly an unwelcome complication. </P>
<H3><A name="nat_ok">NAT on or behind the IPSEC gateway works</A></H3>
<P> This problem can be avoided by having the masquerading take place <EM>
on or behind</EM> the IPSEC gateway. </P>
<P> This can be done physically with two machines, one physically 
behind the other. A picture, using SG to indicate IPSEC <STRONG>S</STRONG>
ecurity <STRONG>G</STRONG>ateways, is: </P>
<PRE>
      clients --- NAT ----- SG ---------- SG
                  two machines
</PRE>
<P> In this configuration, the actual client addresses need not be 
given in the <VAR>leftsubnet=</VAR> parameter of the FreeS/WAN 
connection description. The security gateway just delivers packets to 
the NAT box; it needs only that machine's address. What that machine 
does with them does not affect FreeS/WAN. </P>
<P> A more common setup has one machine performing both functions:</P>
<PRE>
      clients ----- NAT/SG ---------------SG
                  one machine
</PRE>
 Here you have a choice of techniques depending on whether you want to 
make your client subnet visible to clients on the other end: 
<UL>
<LI>If you want the single gateway to behave like the two shown above, 
with your clients hidden behind the NAT, then omit the <VAR>leftsubnet=</VAR>
 parameter. It then defaults to the gateway address. Clients on the 
other end then talk via the tunnel only to your gateway. The gateway 
takes packets emerging from the tunnel, applies normal masquerading, 
and forwards them to clients. </LI>
<LI>If you want to make your client machines visible, then give the 
client subnet addresses as the <VAR>leftsubnet=</VAR> parameter in the 
connection description and 
<DL>
<DT>either </DT>
<DD>set <VAR>leftfirewall=yes</VAR> to use the default <VAR>updown</VAR>
 script </DD>
<DT>or </DT>
<DD>use your own script by giving its name in a <VAR>leftupdown=</VAR>
 parameter </DD>
</DL>
 These scripts are described in their own <A href="#updown">section</A>
. </LI>
<P> In this case, no masquerading is done. Packets to or from the 
client subnet are encrypted or decrypted without any change to their 
client subnet addresses, although of course the encapsulating packets 
use gateway addresses in their headers. Clients behind the right 
security gateway see a route via that gateway to the left subnet.</P>
</UL>
<H3><A name="nat_bad">NAT between gateways is problematic</A></H3>
<P> We recommend not trying to build IPSEC connections which pass 
through a NAT machine. This setup poses problems:</P>
<PRE>
      clients --- SG --- NAT ---------- SG
</PRE>
 If you must try it, some references are: 
<UL>
<LI>Jean_Francois Nadeau's document on doing <A href="http://jixen.tripod.com/#NATed gateways">
IPSEC behind NAT</A></LI>
<LI><A href="#VPN.masq">VPN masquerade patches</A> to make a Linux NAT 
box handle IPSEC packets correctly </LI>
</UL>
<H3><A name="">Other references on NAT and IPSEC</A></H3>
 Other documents which may be relevant include: 
<UL>
<LI>an Internet Draft on <A href="http://search.ietf.org/internet-drafts/draft-aboba-nat-ipsec-04.txt">
IPSEC and NAT</A> which may eventually evolve into a standard solution 
for this problem. </LI>
<LI>an informational <A href="http://www.cis.ohio-state.edu/rfc/rfc2709.txt">
RFC</A>, <CITE>Security Model with Tunnel-mode IPsec for NAT Domains</CITE>
. </LI>
<LI>an <A href="http://www.cisco.com/warp/public/759/ipj_3-4/ipj_3-4_nat.html">
article</A> in Cisco's <CITE>Internet Protocol Journal</CITE></LI>
</UL>
<H2><A name="updown">Calling firewall scripts, named in ipsec.conf(5)</A>
</H2>
<P> The <A href="manpage.d/ipsec.conf.5.html">ipsec.conf</A>
 configuration file has three pairs of parameters used to specify an 
interface between FreeS/WAN and firewalling code.</P>
<P> Note that using these is not required if you have a static firewall 
setup. In that case, you just set your firewall up at boot time (in a 
way that permits the IPSEC connections you want) and do not change it 
thereafter. Omit all the FreeS/WAN firewall parameters and FreeS/WAN 
will not attempt to adjust firewall rules at all. See <A href="#examplefw">
below</A> for some information on appropriate scripts. </P>
<P> However, if you want your firewall rules to change when IPSEC 
connections change, then you need to use these parameters. </P>
<H3><A name="pre_post">Scripts called at IPSEC start and stop</A></H3>
<P> One pair of parmeters are set in the <VAR>config setup</VAR>
 section of the <A href="manpage.d/ipsec.conf.5.html">ipsec.conf(5)</A>
 file and affect all connections:</P>
<DL>
<DT>prepluto=</DT>
<DD>
<DT>postpluto=</DT>
<DD>specify scripts to be called before our <A href="manpage.d/ipsec_pluto.8.html">
pluto(8)</A> IKE daemon is started and after it is stopped.</DD>
</DL>
 These parameters allow you to change firewall parameters whenever 
IPSEC is started or stopped. 
<P> They can also be used in other ways. For example, you might have <VAR>
prepluto</VAR> add a module to your kernel for the secure network 
interface or make a dialup connection, and then have <VAR>postpluto</VAR>
 remove the module or take the connection down. </P>
<H3><A name="up_down">Scripts called at connection up and down</A></H3>
<P> The other parameters are set in connection descriptions. They can 
be set in individual connection descriptions, and could even call 
different scripts for each connection for maximum flexibility. In most 
applications, however, it makes sense to use only one script and to 
call it from <VAR>conn %default</VAR> section so that it applies to all 
connections. </P>
<P> You can either set <VAR>[left|right]firewall=yes</VAR> to use our 
supplied default script or assign a name in a <VAR>[left|right]updown=</VAR>
 line to use your own script. </P>
<P> For details of when Pluto calls these scripts, what arguments it 
passes to them, and what the default script does with those arguments, 
see the <A href="manpage.d/ipsec_pluto.8.html">ipsec_pluto(8)</A> man 
page. </P>
<P> Note that <STRONG>only one of these should be used</STRONG>. You 
cannot sensibly use both. </P>
<H4><A name="">The default script</A></H4>
 We supply a default script named <VAR>_updown</VAR>. 
<DL>
<DT>leftfirewall=</DT>
<DD>
<DT>rightfirewall=</DT>
<DD>indicates that the gateway is doing firewalling and that <A href="manpage.d/ipsec_pluto.8.html">
pluto(8)</A> should poke holes in  the firewall as required. </DD>
</DL>
 Set these to <VAR>yes</VAR> and Pluto will call our default script <VAR>
 _updown</VAR> with appropriate arguments whenever it: 
<UL>
<LI>starts or stops IPSEC services</LI>
<LI>brings a connection up or down</LI>
</UL>
 The supplied default <VAR>_updown</VAR> script is appropriate for 
simple cases using the <VAR>ipfwadm(8)</VAR> firewalling package. 
<H4><A name="userscript">User-written scripts</A></H4>
 You can also write your own script and have Pluto call it. Just put 
the script's name in one of these <A href="manpage.d/ipsec.conf.5.html">
ipsec.conf(5)</A> lines: 
<DL>
<DT>leftupdown=</DT>
<DD>
<DT>rightupdown=</DT>
<DD>specifies a script to call instead of our default script <VAR>
 _updown</VAR>.</DD>
</DL>
 Your script should take the same arguments and use the same 
environment variables as <VAR>_updown</VAR>. These are described in the <A
href="manpage.d/ipsec_pluto.8.html">pluto(8)</A> man page. 
<P> In developing your own script, you can of course use our scripts 
(either the default _updown or the ipchains-based example given <A href="#exupdownchains">
below</A>) as a starting point. Note, however, that <STRONG>you should 
not modify our _updown script in place</STRONG>. If you did that, then 
upgraded FreeS/WAN, the upgrade would install a new default script, 
overwriting your changes. </P>
<H3><A name="ipchains.script">Scripts for ipchains</A></H3>
<P> Our <VAR>_updown</VAR> is for firewalls using <VAR>ipfwadm(8)</VAR>
. If you are using the more recent package <VAR>ipchains(8)</VAR>, you 
must do one of: </P>
<UL>
<LI>use static firewall rules which require no change for FreeS/WAN </LI>
<LI>limit yourself to ipchains(8)'s ipfwadm(8) emulation mode in  order 
to use our script </LI>
<LI>write your own script and call it with <VAR>leftupdown</VAR> and <VAR>
 rightupdown</VAR>. </LI>
</UL>
<P> We provide an <A href="#exupdownchains">example script</A> for use 
 with ipchains(8) below.</P>
<H3><A name="dhr">DHR on the updown script</A></H3>
<P> Here are some mailing list comments from <A href="manpage.d/ipsec_pluto.8.html">
pluto(8)</A> developer Hugh Redelmeier on an earlier draft of this 
document:</P>
<PRE>
There are many important things left out

- firewalling is important but must reflect (implement) policy.  Since
  policy isn't the same for all our customers, and we're not experts,
  we should concentrate on FW and MASQ interactions with FreeS/WAN.

- we need a diagram to show packet flow WITHIN ONE MACHINE, assuming
  IKE, IPsec, FW, and MASQ are all done on that machine.  The flow is
  obvious if the components are run on different machines (trace the
  cables).

  IKE input:
        + packet appears on public IF, as UDP port 500
        + input firewalling rules are applied (may discard)
        + Pluto sees the packet.

  IKE output:
        + Pluto generates the packet &amp; writes to public IF, UDP port 500
        + output firewalling rules are applied (may discard)
        + packet sent out public IF

  IPsec input, with encapsulated packet, outer destination of this host:
        + packet appears on public IF, protocol 50 or 51.  If this
          packet is the result of decapsulation, it will appear
          instead on the paired ipsec IF.
        + input firewalling rules are applied (but packet is opaque)
        + KLIPS decapsulates it, writes result to paired ipsec IF
        + input firewalling rules are applied to resulting packet
          as input on ipsec IF
        + if the destination of the packet is this machine, the
          packet is passed on to the appropriate protocol handler.
          If the original packet was encapsulated more than once
          and the new outer destination is this machine, that
          handler will be KLIPS.
        + otherwise:
          * routing is done for the resulting packet.  This may well
            direct it into KLIPS for encoding or encrypting.  What
            happens then is described elsewhere.
          * forwarding firewalling rules are applied
          * output firewalling rules are applied
          * the packet is sent where routing specified

 IPsec input, with encapsulated packet, outer destination of another host:
        + packet appears on some IF, protocol 50 or 51
        + input firewalling rules are applied (but packet is opaque)
        + routing selects where to send the packet
        + forwarding firewalling rules are applied (but packet is opaque)
        + packet forwarded, still encapsulated

  IPsec output, from this host or from a client:
        + if from a client, input firewalling rules are applied as the
          packet arrives on the private IF
        + routing directs the packet to an ipsec IF (this is how the
          system decides KLIPS processing is required)
        + if from a client, forwarding firewalling rules are applied
        + KLIPS eroute mechanism matches the source and destination
          to registered eroutes, yielding a SPI group.  This dictates
          processing, and where the resulting packet is to be sent
          (the destinations SG and the nexthop).
        + output firewalling is not applied to the resulting
          encapsulated packet

- Until quite recently, KLIPS would double encapsulate packets that
  didn't strictly need to be.  Firewalling should be prepared for
  those packets showing up as ESP and AH protocol input packets on
  an ipsec IF.

- MASQ processing seems to be done as if it were part of the
  forwarding firewall processing (this should be verified).

- If a firewall is being used, it is likely the case that it needs to
  be adjusted whenever IPsec SAs are added or removed.  Pluto invokes
  a script to do this (and to adjust routing) at suitable times.  The
  default script is only suitable for ipfwadm-managed firewalls.  Under
  LINUX 2.2.x kernels, ipchains can be managed by ipfwadm (emulation),
  but ipchains more powerful if manipulated using the ipchains command.
  In this case, a custom updown script must be used.

  We think that the flexibility of ipchains precludes us supplying an
  updown script that would be widely appropriate.
</PRE>
 We do provide a sample script in the next section. It is essentially a 
transliteration of the version we supply for ipfwadm. Because it 
doesn't process the command line argument, it cannot be directly 
subsituted -- it won't support the semantics of *firewall=no. It can be 
used in <VAR>[left|right]updown=</VAR>. 
<H3><A name="exupdownchains">Example updown script for ipchains</A></H3>
<P> Here is an example updown script for use with ipchains. It is 
intended to be called via an <VAR>updown=</VAR> statement in <A href="manpage.d/ipsec.conf.5.html">
 ipsec.conf</A>. </P>
<PRE>
#! /bin/sh
# sample updown script for ipchains
# Copyright (C) 2000  D. Hugh Redelmeier, Henry Spencer
# 
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 2 of the License, or (at your
# option) any later version.  See .
# 
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
# for more details.
#
# RCSID $Id: firewall.html,v 1.20 2001/06/12 05:14:54 sandy Exp $

# check interface version
case &quot;$PLUTO_VERSION&quot; in
1.0)    ;;
*)      echo &quot;$0: unknown interface version \`$PLUTO_VERSION'&quot; &gt;2        exit 2
        ;;
esac

# check parameter(s)
case &quot;$*&quot; in
'')     ;;
*)      echo &quot;$0: parameters unexpected&quot; &gt;2        exit 2
        ;;
esac

# utility functions for route manipulation
# Meddling with this stuff should never be necessary and is most unwise.
uproute() {
        route add -net $PLUTO_PEER_CLIENT_NET netmask $PLUTO_PEER_CLIENT_MASK \
                dev $PLUTO_INTERFACE gw $PLUTO_NEXT_HOP
}
downroute() {
        route del -net $PLUTO_PEER_CLIENT_NET netmask $PLUTO_PEER_CLIENT_MASK \
                dev $PLUTO_INTERFACE gw $PLUTO_NEXT_HOP
}

# the big choice
case &quot;$PLUTO_VERB&quot; in
prepare-host|prepare-client)
        # delete possibly-existing route (preliminary to adding a route)
        oops=&quot;`route del -net $PLUTO_PEER_CLIENT_NET \
                                        netmask $PLUTO_PEER_CLIENT_MASK 2&gt;1&quot;
        status=&quot;$?&quot;
        if test &quot; $oops&quot; = &quot; &quot; -a &quot; $status&quot; != &quot; 0&quot;
        then
                oops=&quot;silent error in route command, exit status $status&quot;
        fi
        case &quot;$oops&quot; in
        'SIOCDELRT: No such process')
                # This is what route (currently -- not documented!) gives
                # for &quot;could not find such a route&quot;.
                status=0
                ;;
        esac
        exit $status
        ;;
route-host|route-client)
        # connection to this host or client being routed
        uproute
        ;;
unroute-host|unroute-client)
        # connection to this host or client being unrouted
        downroute
        ;;
up-host)
        # connection to this host coming up
        ;;
down-host)
        # connection to this host going down
        ;;
up-client)
        # connection to client subnet, through forwarding firewall, coming up
        ipchains -I forward -j ACCEPT -b \
                -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
                -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
        ;;
down-client)
        # connection to client subnet, through forwarding firewall, going down
        ipchains -D forward -j ACCEPT -b \
                -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
                -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
        ;;
*)      echo &quot;$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'&quot; &gt;2        exit 1
        ;;
esac</PRE>
<H2><A name="examplefw">Ipchains firewall configuration at boot</A></H2>
<P> It is also possible to set up both firewalling and IPSEC with 
appropriate scripts at boot and then not use <VAR>leftupdown=</VAR> and <VAR>
rightupdown=</VAR>, or use them only for simple up and down operations.</P>
<P> Basically, the technique is </P>
<UL>
<LI>allow IPSEC packets (typically, IKE on UDP port 500 plus ESP, 
protocol 50) 
<UL>
<LI>incoming, if the destination address is your gateway (and 
optionally, only from known senders) </LI>
<LI>outgoing, with the from address of your gateway (and optionally, 
only to known receivers) </LI>
</UL>
</LI>
<LI>let <A href="#Pluto">Pluto</A> deal with IKE </LI>
<LI>let <A href="#KLIPS">KLIPS</A> deal with ESP </LI>
<LI>if necessary, filter incoming packets emerging from KLIPS. </LI>
</UL>
<P> Firewall rules can recognise packets emerging from IPSEC. They are 
marked as arriving on an interface such as <VAR>ipsec0</VAR>, rather 
than <VAR>eth0</VAR>, <VAR>ppp0</VAR> or whatever. </P>
<P> While it is possible to create such rules yourself (please let us 
know via the <A href="mail.html">mailing list</A> if you do), it may be 
both easier and more secure to use a set which has already been 
published and tested. Those we know of are described below. </P>
<H3><A name="Ranch.trinity">Scripts based on Ranch's work</A></H3>
<P> One user, Rob Hutton, posted his boot time scripts to the mailing 
list, and we included them in previous versions of this documentation. 
They are still available from our <A href="http://www.freeswan.org/freeswan_trees/freeswan-1.5/doc/firewall.html#examplefw">
web site</A>. However, they were for an earlier FreeS/WAN version so we 
no longer recommend them. Also, they had some bugs. See this <A href="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/04/msg00316.html">
message</A>. </P>
<P> Those scripts were based on David Ranch's scripts for his &quot;Trinity 
OS&quot; for setting up a secure Linux. Check his <A href="http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html">
home page</A> for the latest version and for information on his <A href="#ranch">
book</A> on securing Linux. If you are going to base your firewalling 
on Ranch's scripts, we recommend using his latest version, and sending 
him any IPSEC modifications you make for incorporation into later 
versions.</P>
<H3><A name="seawall">The Seattle firewall</A></H3>
 We have had several mailing lists reports of good results using 
FreeS/WAN with Seawall (the Seattle Firewall). See that project's <A href="http://seawall.sourceforge.net/">
home page</A> on Sourceforge. 
<H3><A name="rcf">The RCF scripts</A></H3>
 Another set of firewall scripts with IPSEC support are the RCF or 
rc.firewall scripts. See their <A href="http://jsmoriss.mvlan.net/linux/rcf.html">
home page</A>. <HR>
<H1><A name="debug">Linux FreeS/WAN Troubleshooting</A></H1>
<P> This is a collection of notes on various aspects of debugging 
FreeS/WAN setup and connections. Other sources of information are: </P>
<UL>
<LI>the <A href="faq.html">FAQ</A> covers: 
<UL>
<LI>common problems </LI>
<LI>common questions </LI>
<LI>interpreting FreeS/WAN error messages </LI>
</UL>
</LI>
<LI>If the other end of your connection is not FreeS/WAN, see our <A href="#interop.problem">
interoperation</A> document. </LI>
</UL>
<H2><A name="report">Problem Reporting</A></H2>
<P> For how to report problems, see the file <A href="prob.report">
doc/prob.report</A>.</P>
<H2><A name="logusage">Logs used</A></H2>
<P> Error messages generated by KLIPS during the boot sequence are 
accessible with the <VAR>dmesg</VAR> command.</P>
<P>Pluto logs to:</P>
<UL>
<LI>/var/log/secure (or, on Debian, /var/log/auth.log)</LI>
<LI>/var/log/messages</LI>
</UL>
<P>Check both places to get full information. If you find nothing, 
check your <VAR>syslogd.conf(5)</VAR> to see where your system is 
putting things.</P>
<H2><A name="info">Information available on your system</A></H2>
<H3><A name="pages">man pages provided</A></H3>
<DL>
<DT><A href="manpage.d/ipsec.conf.5.html">ipsec.conf(5)</A></DT>
<DD>Manual page for IPSEC configuration file.</DD>
<DT><A href="manpage.d/ipsec.8.html">ipsec(8)</A></DT>
<DD>Primary man page for ipsec utilities.</DD>
</DL>
<P>Other man pages are on</P>
<P><A href="manpages.html">this list</A> and in</P>
<UL>
<LI>/usr/local/man/man3</LI>
<LI>/usr/local/man/man5</LI>
<LI>/usr/local/man/man8/ipsec_*</LI>
</UL>
<H3><A name="statusinfo">Status information</A></H3>
<DL>
<DT>/proc/net/ipsec*</DT>
<DD>Various files reporting the status of IPSEC.</DD>
<DT>ipsec auto --status</DT>
<DD>Command to get status report from running system. Displays Pluto's 
 state: the list of &quot;added&quot; conns and the list of state objects 
 reflecting ISAKMP and IPsec SAs being negotiated or installed.</DD>
<DT>ipsec look</DT>
<DD>Brief status info.</DD>
<DT>ipsec barf</DT>
<DD>Copious debugging info.</DD>
</DL>
<H2><A name="pluto.problems">Pluto problem hints</A></H2>
<P> From a message posted to the mailing list Jan 14 2000 by Pluto 
developer  Hugh Redelmeier:</P>
<PRE>
Until ipsec auto and whack/pluto get fixed:

        When puzzled by Pluto behaviour, always look in
        /var/log/secure -- that's the unadulterated story.

        To get the whole whack output (almost a subset of
        the story from Pluto), give auto the --verbose flag
        on each invocation.  Eg:
                ipsec auto --verbose --up sadaisy


Bonus hint: problems snowball.  So look for the first problem first,
it is likely to be the cause of later problems.

And a final hint: If one side keeps retrying to no avail, it may be
because the other is unhappy about something and won't reply.  Go look
at the other side to figure out what it doesn't like.
</PRE>
 Various error messages from Pluto are discussed in the <A href="#error">
FAQ</A> and the <A href="manpage.d/ipsec_pluto.8.html">ipsec_pluto(8)</A>
 man page. 
<H3><A name="gdb.pluto">Using GDB on Pluto</A></H3>
 You may need to use the GNU degugger, gdb(1), on Pluto. This should be 
necessary only in unusal cases, for example if you encounter a problem 
which the Pluto developer cannot readily reproduce or if you are 
modifying Pluto. 
<P> Here are the Pluto developer's suggestions for doing this: </P>
<PRE>
Can you get a core dump and use gdb to find out what Pluto was doing
when it died?

To get a core dump, you will have to set dumpdir to point to a
suitable directory (see <A href="manpage.d/ipsec.conf.5.html">ipsec.conf(5)</A>).

To get gdb to tell you interesting stuff:
        $ script
        $ cd dump-directory-you-chose
        $ gdb /usr/local/lib/ipsec/pluto core
        (gdb) where
        (gdb) quit
        $ exit

The resulting output will have been captured by the script command in
a file called &quot;typescript&quot;.  Send it to the list.

Do not delete the core file.  I may need to ask you to print out some
more relevant stuff.
</PRE>
 Note that the <VAR>dumpdir</VAR> parameter takes effect only when the 
IPsec subsystem is restarted -- reboot or <VAR>ipsec setup restart</VAR>
. 
<H2><A name="ifconfig">ifconfig reports for KLIPS debugging</A></H2>
<P>From a mail message from our KLIPS developer:</P>
<PRE>
Here is a catalogue of the types of errors that can occur for which
statistics are kept when transmitting and receiving packets via klips.
I notice that they are not necessarily logged in the right counter.
. . .

Sources of ifconfig statistics for ipsec devices

rx-errors:
- packet handed to ipsec_rcv that is not an ipsec packet.
- ipsec packet with payload length not modulo 4.
- ipsec packet with bad authenticator length.
- incoming packet with no SA.
- replayed packet.
- incoming authentication failed.
- got esp packet with length not modulo 8.

tx_dropped:
- cannot process ip_options.
- packet ttl expired.
- packet with no eroute.
- eroute with no SA.
- cannot allocate sk_buff.
- cannot allocate kernel memory.
- sk_buff internal error.


The standard counters are:

struct enet_statistics
{
        int        rx_packets;                /* total packets received */
        int        tx_packets;                /* total packets transmitted */
        int        rx_errors;                /* bad packets received */
        int        tx_errors;                /* packet transmit problems */
        int        rx_dropped;                /* no space in linux buffers */
        int        tx_dropped;                /* no space available in linux */
        int        multicast;                /* multicast packets received */
        int        collisions;

        /* detailed rx_errors: */
        int        rx_length_errors;
        int        rx_over_errors;                /* receiver ring buff overflow */
        int        rx_crc_errors;                /* recved pkt with crc error */
        int        rx_frame_errors;        /* recv'd frame alignment error */
        int        rx_fifo_errors;                /* recv'r fifo overrun */
        int        rx_missed_errors;        /* receiver missed packet */

        /* detailed tx_errors */
        int        tx_aborted_errors;
        int        tx_carrier_errors;
        int        tx_fifo_errors;
        int        tx_heartbeat_errors;
        int        tx_window_errors;
};

of which I think only the first 6 are useful.
</PRE>
<H2><A name="testgates">Testing between security gateways</A></H2>
<P>Sometimes you need to test the tunnel between two security gateways. 
This  can be done by having a machine behind one gateway ping a machine 
behind the  other gateway, but this is not always convenient or even 
possible.</P>
<P>Simply pinging one gateway from the other is not useful. Such a ping 
does  not normally go through the tunnel. <STRONG>The tunnel handles 
trafiic  between the two protected subnets, not between the gateways</STRONG>
.  Depending on the routing in place, a ping might</P>
<UL>
<LI>either succeed by finding an unencrypted route</LI>
<LI>or fail by finding no route. Packets without an IPSEC eroute are 
 discarded.</LI>
</UL>
<P><STRONG>Neither event tells you anything about the tunnel</STRONG>. 
You  can explicitly create an eroute to force such packets through the 
tunnel, or  you can create additional tunnels as described in our <A href="#multitunnel">
configuration document</A>, but those may be an unnecessary 
 complications in your situation.</P>
<P>The trick is to explicitly use an IP address for the subnet-side 
 interface of one gateway machine, either as the target of a ping or as 
the  origin of a traceroute. Since that interface is on the protected 
subnet, the  resulting packets do go via the tunnel.</P>
<P> From the mailing list:</P>
<PRE>
&gt;; &gt; ;I have two gateways, SG1 and SG2, with I/Fs i and e (for internal and
&gt;; &gt; ;external), and two hosts, H1 and H2 set up as:
&gt;; &gt; ;
&gt;; &gt; ;     H1-----(i)SG1(e)===========(e)SG2(i)------H2
&gt;; &gt; ;
&gt;; &gt; ;And I want to test a tunnel set up between the H1 subnet and the H2
&gt;; &gt; ;subnet, but the H2 host may not exist yet, or may not be responding.
&gt;; &gt; ;
&gt;; &gt; ;If I ping SG2i from H1, all traffic in both directions is encrypted,
&gt;; &gt; ;testing the tunnel.
.....
&gt;; &gt; ;If I understand correctly, this could be accomplished by the 'ping -I'
&gt;; &gt; ;feature of which you spoke earlier or 'traceroute -i'?
&gt;; 
&gt;; Indeed, 
&gt;;   traceroute -i eth0 -f 20 otherSG 
&gt;; appears to give me a solution using only N machines, the SGs themselves.
&gt;; This is very nice.  Note that in this example, eth0 is the *private* (i)
&gt;; interface.  If you try it with the (e) interface or the ipsec0 interface,
&gt;; you won't get the desired result.  If you leave off the -f 20, the trace
&gt;; will hang in some totally bizarre way.
</PRE>
<P> Some older Linux distributions did not support ping -I, according 
to mailing list comments. More recent comments indicate that this does 
now work. For example, you can do:</P>
<PRE>
        ping -I 192.168.10.250 192.168.0.11
</PRE>
 to test between the interfaces on the two protected subnets. 
<H2><A name="c.guide">Claudia's guide</A></H2>
 FreeS/WAN &quot;listress&quot; (mailing list tech support person) Claudia 
Schmeing posted this guide to trouble-shooting in early March 2000. It 
may be worth checking list <A href="#archive">archives</A> for a more 
recent version. 
<PRE>
Your mail has inspired me to write a little trouble shooting 
guide to supplement and connect the existing docs on the subject.
Here's v. 1. Comments are welcome.


Steps in Troubleshooting Linux FreeS/WAN:
- -----------------------------------------

Finding the Error
- -----------------

First, try to find verbose text that describes how things are going wrong 
or creating unexpected results. Here's how:

While the dialog from ipsec auto --up myconn (or whatever) will tell
you where the process fails, it is often not very specific. And for
errors that have to do with the use of a conn, you may not even have
this.

More information can be gleaned from the log files, usually 
/var/log/messages or /var/log/secure. On some systems, the logfiles
are differently named. To find your error messages, check where your 
/etc/syslog.conf or equivalent is directing authpriv.

The amount of your error's description in your logs depends on your debug 
settings, klipsdebug= and plutodebug=, in ipsec.conf. See man ipsec.conf for 
details. Note that usually, either 'none' or 'all' will be what you want; 
you don't need to worry about the nuances of the debug options.

If you're having an negotiation problem (as you are, above) plutodebug 
is most relevant. If you have a connection established but the
packets aren't doing what you think they should, play with klipsdebug.
See also /doc/ipsec.html#parts for the division of duties within
Linux FreeS/WAN.

After raising your debug levels, restart Linux FreeS/WAN to ensure that
the conf file is re-read, then re-create the error to generate 
verbose logs. Proceed to the failure point in the logs and find 
the handful of lines which succinctly describe how things are going 
wrong or contrary to your expectation.


Interpreting the Error
- ----------------------

To interpret this text, use the following resources:

* the FAQ, doc/faq.html. Since the FAQ is constantly being updated,
the snapshot may have a new entry relevant to your problem. For example,
the faq in today's snapshot, addresses several more questions than the 
version on the site.

* doc/config.html. Instructions for some configurations you can 
make with Linux FreeS/WAN. See especially doc/config.html#multitunnel,
which is useful in a large proportion of the questions we see on the list.

* doc/trouble.html.  Debugging instructions and notes. Note that 
most people now test automatic keying only if that's what they're using 
in the field, and only revert to manual testing to test unexpected 
behaviour that seems to be occurring at a very basic level.

* the list archives. There are three: sandelman nexial, as listed
at mail.html, and the archive for the filtered list at exim.org:

http://www.exim.org/pipermail/linux-ipsec/
(also listed in the upcoming docs).

Each of them works differently, so it's worth checking each.

Take a snippet of the text of your error which doesn't include anything
site specific, ex. &quot;No connection is known for&quot;, and search on this.
It's likely you'll find the same answer to someone else's question 
this way, and it's faster than asking real-time humans ;-)

* Sometimes a quick peek into the code where the error is being generated
can be helpful. The pluto code is pretty well documented with comments
and meaningful variable names.


Asking for Help
- ---------------

A combination of the freeswan.org pages mentioned above and an archive 
search will address nearly every problem. But for those times when 
you've found something unusual, or your forehead is sore from banging 
it on your monitor, there's always the mailing list ;-)

When writing the list, remember that more is more -- While sometimes 
an initial query with a quick description of your intent and error 
will twig someone's memory of a similar problem, it's often necessary to 
send a second mail with a complete problem report. See doc/prob.report
for details. Lastly, as a kindness to other list members, you might post 
a link to a website where you've published your barf file rather than 
the entire file, if that option's available to you.

Happy trouble shooting,

Claudia
</PRE>
<HR>
<H1><A name="kernelconfig">Kernel configuration for FreeS/WAN</A></H1>
<P> This section lists many of the options available when configuring a 
Linux  kernel, and explains how they should be set on a FreeS/WAN IPSEC 
 gateway.</P>
<H2><A name="notall">Not everyone needs to worry about kernel 
configuration</A></H2>
<P>Note that in many cases you do not need to mess with these.</P>
<P> You may have a Linux distribution which comes with FreeS/WAN 
installed (see this <A href="#products">list</A>).  In that case, you 
need not do a FreeS/WAN installation or a kernel  configuration. Of 
course, you might still want to configure and rebuild your  kernel to 
improve performance or security. This can be done with standard  tools 
described in the <A href="http://www.linuxdoc.org/HOWTO/Kernel-HOWTO.html">
Kernel HowTo</A>.</P>
<P>If you need to install FreeS/WAN, then you do need to configure a 
kernel.  However, you may choose to do that using the simplest 
procedure:</P>
<UL>
<LI>Configure, build and test a kernel for your system before adding 
FreeS/WAN. See the <A href="http://www.linuxdoc.org/HOWTO/Kernel-HOWTO.html">
Kernel HowTo</A> for details. <STRONG>This step cannot be  skipped</STRONG>
. FreeS/WAN needs the results of your configuration.</LI>
<LI>Then use FreeS/WAN's <VAR>make oldgo</VAR> command. This sets 
 everything FreeS/WAN needs and retains your values everywhere else.</LI>
</UL>
<P> This document is for those who choose to configure their FreeS/WAN 
kernel themselves.</P>
<H2><A name="assume">Assumptions and notation</A></H2>
<P> Help text for most kernel options is included with the kernel 
files, and is accessible from within the configuration utilities. We 
assume you will refer to that, and to the <A href="http://www.linuxdoc.org/HOWTO/Kernel-HOWTO.html">
Kernel HowTo</A>, as necessary. This document covers only the 
FreeS/WAN-specific aspects of the problem.</P>
<P> To avoid duplication, this document section does not cover settings 
for the additional IPSEC-related kernel options which become available 
after you have patched your kernel with FreeS/WAN patches. There is 
help text for those available from within the configuration utility.</P>
<P> We assume a common configuration in which the FreeS/WAN IPSEC 
gateway is also doing ipchains(8) firewalling for a local network, and 
possibly masquerading as well.</P>
<P> Some suggestions below are labelled as appropriate for &quot;a true 
paranoid&quot;. By this we mean they may cause inconvenience and it is not 
entirely clear  they are necessary, but they appear to be the safest 
choice. Not using them  might entail some risk. Of course one suggested 
mantra for security  administrators is: &quot;I know I'm paranoid. I wonder 
if I'm paranoid  enough.&quot;</P>
<H3><A name="labels">Labels used</A></H3>
<P>Six labels are used to indicate how options should be set. We mark 
the  labels with [square brackets]. For two of these labels, you have 
no  choice:</P>
<DL>
<DT>[required]</DT>
<DD>essential for FreeS/WAN operation.</DD>
<DT>[incompatible]</DT>
<DD>incompatible with FreeS/WAN.</DD>
</DL>
<P>those must be set correctly or FreeS/WAN will not work</P>
<P>FreeS/WAN should work with any settings of the others, though of 
course  not all combinations have been tested. We do label these in 
various ways,  but <EM>these labels are only suggestions</EM>.</P>
<DL>
<DT>[recommended]</DT>
<DD>useful on most FreeS/WAN gateways</DD>
<DT>[disable]</DT>
<DD>an unwelcome complication on a FreeS/WAN gateway.</DD>
<DT>[optional]</DT>
<DD>Your choice. We outline issues you might consider.</DD>
<DT>[anything]</DT>
<DD>This option has no direct effect on FreeS/WAN and related tools, so 
 you should be able to set it as you please.</DD>
</DL>
<P> Of course complexity is an enemy in any effort to build secure 
systems. <STRONG>For maximum security, any feature that can reasonably 
be turned off should be</STRONG>. &quot;If in doubt, leave it out.&quot;</P>
<H2><A name="kernelopt">Kernel options for FreeS/WAN</A></H2>
<P>Indentation is based on the nesting shown by 'make menuconfig' with 
a  2.2.16 kernel for the i386 architecture.</P>
<DL>
<DT><A name="maturity">Code maturity and level options</A></DT>
<DD>
<DL>
<DT><A name="devel">Prompt for development ...  code/drivers</A></DT>
<DD>[optional] If this is <VAR>no</VAR>, experimental drivers are  not 
shown in later menus. </DD>
<P>For most FreeS/WAN work, <VAR>no</VAR> is the preferred  setting. 
Using new or untested components is too risky for a  security gateway.</P>
<P>However, for some hardware (such as the author's network  cards) the 
only drivers available are marked <VAR> new/experimental</VAR>. In such 
cases, you must enable this  option or your cards will not appear under 
&quot;network device  support&quot;. A true paranoid would leave this option off 
and  replace the cards.</P>
</DL>
</DD>
</DL>
<DT>Processor type and features</DT>
<DD>[anything]</DD>
<DT>Loadable module support</DT>
<DD>
<DL>
<DT>Enable loadable module support</DT>
<DD>[optional] A true paranoid would disable this. An attacker who  has 
root access to your machine can fairly easily install a  bogus module 
that does awful things, provided modules are  enabled. A common tool 
for attackers is a &quot;rootkit&quot;, a set  of tools used once they have 
become root to introduce assorted  additional compromises so that they 
&quot;own&quot; your system  despite most recovery efforts. For Linux, there is a 
tool called <A href="http://www.sans.org/newlook/resources/IDFAQ/knark.htm">
 knark</A> which is basically a rootkit packaged as a kernel module. </DD>
<P>With modules disabled, an attacker cannot install a bogus module. 
 The only way  he can achieve the same effects is to install a new 
kernel and  reboot. This is considerably more likely to be noticed. </P>
<P>Many FreeS/WAN gateways run with modules enabled. This  simplifies 
some administrative tasks and some ipchains features  are available 
only as modules. Once an enemy has root on your  machine your security 
is nil, so arguably defenses which come  into play only in that 
situation are pointless.</P>
<P></DL>
</DD>
<DT>Set version information ....</DT>
<DD>[optional] This provides a check to prevent loading modules 
 compiled for a different kernel.</DD>
<DT>Kernel module loader</DT>
<DD>[disable] It gives little benefit on a typical FreeS/WAN gate  and 
entails some risk.</DD>
<DT>General setup</DT>
<DD>We list here only the options that matter for FreeS/WAN. 
<DL>
<DT>Networking support</DT>
<DD>[required]</DD>
<DT>Sysctl interface</DT>
<DD>[optional] If this option is turned on and the <VAR> /proc</VAR>
 filesystem installed, then you can control  various system behaviours 
by writing to files under <VAR> /proc/sys</VAR>. For example: </DD>
<PRE>        echo 1 &gt; /proc/sys/net/ipv4/ipforward</PRE>
 turns IP forwarding on. 
<P>Disabling this option breaks many firewall scripts. A true  paranoid 
would disable it anyway since it might conceivably be  of use to an 
attacker.</P>
</DL>
</DD>
<DT>Plug and Play support</DT>
<DD>[anything]</DD>
<DT>Block devices</DT>
<DD>[anything]</DD>
<DT>Networking options</DT>
<DD>
<DL>
<DT>Packet socket</DT>
<DD>[optional] This kernel feature supports tools such as  tcpdump(8) 
which communicate directly with network hardware,  bypassing kernel 
protocols. This is very much a two-edged sword: 
<UL>
<LI>such tools can be very useful to the firewall admin,  especially 
during initial testing</LI>
<LI>should an evildoer breach your firewall, such tools could  give him 
or her a great deal of information about the rest  of your network</LI>
</UL>
 We recommend disabling this option on production gateways.</DD>
<DT><A name="netlink">Kernel/User netlink socket</A></DT>
<DD>[optional] Required if you want to use <A href="#adv">advanced 
 router</A> features.</DD>
<DT>Routing messages</DT>
<DD>[optional]</DD>
<DT>Netlink device emulation</DT>
<DD>[optional]</DD>
<DT>Network firewalls</DT>
<DD>[recommended] You need this if the IPSEC gateway also  functions as 
a firewall. </DD>
<P>Even if the IPSEC gateway is not your primary firewall, we  suggest 
setting this so that you can protect the gateway with at  least basic 
local packet filters.</P>
</DL>
</DD>
<DT>Socket filtering</DT>
<DD>[disable] This enables an older filtering interface. We suggest 
 using ipchains(8) instead. To do that, set the &quot;Network  firewalls&quot; 
option just above, and not this one.</DD>
<DT>Unix domain sockets</DT>
<DD>[required] These sockets are used for communication between the <A href="manpage.d/ipsec.8.html">
 ipsec(8)</A> commands and the <A href="manpage.d/ipsec_pluto.8.html">
ipsec_pluto(8)</A> daemon.</DD>
<DT>TCP/IP networking</DT>
<DD>[required] 
<DL>
<DT>IP: multicasting</DT>
<DD>[anything]</DD>
<DT><A name="adv">IP: advanced router</A></DT>
<DD>[optional] This gives you policy routing, which some  people have 
used to good advantage in their scripts for  FreeS/WAN gateway 
management. It is not used in our  distributed scripts, so not required 
unless you want it  for custom scripts. It requires the <A href="#netlink">
netlink</A> interface between kernel code  and the iproute2(8) command.</DD>
<DT>IP: kernel level autoconfiguration</DT>
<DD>[disable] It gives little benefit on a typical FreeS/WAN  gate and 
entails some risk.</DD>
<DT>IP: firewall packet netlink device</DT>
<DD>[disable]</DD>
<DT>IP: transparent proxy support</DT>
<DD>[optional] This is required in some firewall configurations,  but 
should be disabled unless you have a definite need for it. </DD>
<DT>IP: masquerading</DT>
<DD>[optional] Required if you want to use <A href="#non-routable">
 non-routable</A> private  IP addresses for your local network.</DD>
<DT>IP: Optimize as router not host</DT>
<DD>[recommended]</DD>
<DT>IP: tunneling</DT>
<DD>[required]</DD>
<DT>IP: GRE tunnels over IP</DT>
<DD>[anything]</DD>
<DT>IP: aliasing support</DT>
<DD>[anything]</DD>
<DT>IP: ARP daemon support (EXPERIMENTAL)</DT>
<DD>Not required on most systems, but might prove useful on 
 heavily-loaded gateways.</DD>
<DT>IP: TCP syncookie support</DT>
<DD>[recommended] It provides a defense against a <A href="#DoS">denial 
of  service attack</A> which uses bogus TCP connection  requests to 
waste resources on the victim machine.</DD>
<DT>IP: Reverse ARP</DT>
<DD>
<DT>IP: large window support</DT>
<DD>[recommended] unless you have less than 16 meg RAM</DD>
</DL>
</DD>
<DT>IPv6</DT>
<DD>[optional] FreeS/WAN does not currently support IPv6, though work 
on  integrating FreeS/WAN with the Linux IPv6 stack has begun. <A href="#ipv6">
 Details</A>. </DD>
<P> It should be possible to use IPv4 FreeS/WAN on a machine which also 
 does IPv6. This combination is not yet well tested. We would be quite 
 interested in hearing results from anyone expermenting with it, via 
the <A href="mail.html"> mailing list</A>. </P>
<P> We do not recommend using IPv6 on production FreeS/WAN gateways 
until  more testing has been done. </P>
<DT>Novell IPX</DT>
<DD>[disable]</DD>
<DT>Appletalk</DT>
<DD>[disable] Quite a few Linux installations use IP but also have 
 some other protocol, such as Appletalk or IPX, for communication  with 
local desktop machines. In theory it should be possible to  configure 
IPSEC for the IP side of things without interfering  with the second 
protocol. </DD>
<P>We do not recommend this. Keep the software on your gateway  as 
simple as possible. If you need a Linux-based Appletalk or  IPX server, 
use a separate machine.</P>
<DT>Telephony support</DT>
<DD>[anything]</DD>
<DT>SCSI support</DT>
<DD>[anything]</DD>
<DT>I2O device support</DT>
<DD>[anything]</DD>
<DT>Network device support</DT>
<DD>[anything] should work, but there are some points to note. </DD>
<P>The development team test almost entirely on 10 or 100 megabit 
 Ethernet and modems. In principle, any device that can do IP should be 
 just fine for IPSEC, but in the real world any device that has not 
 been well-tested is somewhat risky. By all means try it, but don't bet 
 your project on it until you have solid test results.</P>
<P>If you disabled experimental drivers in the <A href="#maturity">Code 
maturity</A> section above, then those drivers  will not be shown here. 
Check that option before going off to hunt for  missing drivers.</P>
<P>If you want Linux to automatically find more than one ethernet 
 interface at boot time, you need to:</P>
<UL>
<LI>compile the appropriate driver(s) into your kernel. Modules will 
 not work for this</LI>
<LI>add a line such as </LI>
<PRE>
   append=&quot;ether=0,0,eth0 ether=0,0,eth1&quot;
</PRE>
 to your /etc/lilo.conf file. In some cases you may need to specify 
 parameters such as IRQ or base address. The example uses &quot;0,0&quot;  for 
these, which tells the system to search. If the search does not 
 succeed on your hardware, then you should retry with explicit 
parameters.  See the lilo.conf(5) man page or the <A href="http://www.linuxdocs.org/mini/LILO.html">
 LILO mini-HowTo</A> for details.
<LI>run lilo(8)</LI>
</UL>
 Having Linux find the cards this way is not necessary, but is usually 
more  convenient than loading modules in your boot scripts.
<DT>Amateur radio support</DT>
<DD>[anything]</DD>
<DT>IrDA (infrared) support</DT>
<DD>[anything]</DD>
<DT>ISDN subsystem</DT>
<DD>[anything]</DD>
<DT>Old CDROM drivers</DT>
<DD>[anything]</DD>
<DT>Character devices</DT>
<DD>The only required character device is: 
<DL>
<DT>random(4)</DT>
<DD>[required] This is a source of <A href="#random">random</A> numbers 
which are required for many cryptographic protocols,  including several 
used in IPSEC. </DD>
<P>If you are comfortable with C source code, it is likely a  good idea 
to go in and adjust the <VAR>#define</VAR> lines in <VAR>
 /usr/src/linux/drivers/char/random.c</VAR> to ensure that  all sources 
of randomness are enabled. Relying solely on  keyboard and mouse 
randomness is dubious procedure for a gateway  machine. You could also 
increase the randomness pool size from  the default 512 bytes (128 
32-bit words).</P>
</DL>
</DD>
<DT>Filesystems</DT>
<DD>[anything] should work, but we suggest limiting a gateway  machine 
to the standard Linux ext2 filesystem in most  cases.</DD>
<DT>Network filesystems</DT>
<DD>[disable] These systems are an unnecessary risk on an IPSEC 
 gateway.</DD>
<DT>Console drivers</DT>
<DD>[anything]</DD>
<DT>Sound</DT>
<DD>[anything] should work, but we suggest enabling sound only if  you 
plan to use audible alarms for firewall problems.</DD>
<DT>Kernel hacking</DT>
<DD>[disable] This might be enabled on test machines, but should  not 
be on production gateways.</DD>
<HR>
<H1><A name="roadmap">Distribution Roadmap: What's Where in Linux 
FreeS/WAN</A></H1>
<P> This file is a guide to the locations of files within the FreeS/WAN 
distribution. Everything described here should be on your system once 
you download, gunzip, and untar the distribution.</P>
<P>This distribution contains two major subsystems </P>
<DL>
<DT><A href="#klips.roadmap">KLIPS</A></DT>
<DD>the kernel code</DD>
<DT><A href="#pluto.roadmap">Pluto</A></DT>
<DD>the user-level key-management daemon</DD>
</DL>
<P>plus assorted odds and ends. </P>
<H2><A name="top">Top directory</A></H2>
<P>The top directory has essential information in text files:</P>
<DL>
<DT>README</DT>
<DD>introduction to the software</DD>
<DT>INSTALL</DT>
<DD>short experts-only installation procedures. More detalied 
procedures are in <A href="install.html"> installation</A> and <A href="config.html">
 configuration</A> HTML documents.</DD>
<DT>BUGS</DT>
<DD>major known bugs in the current release.</DD>
<DT>CHANGES</DT>
<DD>changes from previous releases</DD>
<DT>CREDITS</DT>
<DD>acknowledgement of contributors</DD>
<DT>COPYING</DT>
<DD>licensing and distribution information</DD>
</DL>
<H2><A name="doc">Documentation</A></H2>
<P> The doc directory contains the bulk of the documentation, most of 
it in HTML format. See the <A href="index.html">index file</A> for 
details. </P>
<H2><A name="klips.roadmap">KLIPS: kernel IP security</A></H2>
<P><A href="#KLIPS"> KLIPS</A> is <STRONG>K</STRONG>erne<STRONG>L</STRONG><STRONG>
 IP</STRONG><STRONG> S</STRONG>ecurity. It lives in the klips 
directory, of course. </P>
<DL>
<DT>klips/doc</DT>
<DD>documentation</DD>
<DT>klips/patches</DT>
<DD>patches for existing kernel files</DD>
<DT>klips/test</DT>
<DD>test stuff</DD>
<DT>klips/utils</DT>
<DD>low-level user utilities</DD>
<DT>klips/net/ipsec</DT>
<DD>actual klips kernel files</DD>
<DT>klips/src</DT>
<DD>symbolic link to klips/net/ipsec </DD>
<P>The &quot;make insert&quot; step of installation installs the patches and 
makes  a symbolic link from the kernel tree to klips/net/ipsec. The odd 
name of  klips/net/ipsec is dictated by some annoying limitations of 
the scripts  which build the Linux kernel.  The symbolic-link business 
is a bit  messy, but all the alternatives are worse.</P>
<P>
<DT>klips/utils</DT>
<DD>Utility programs: </DD>
<P>
<DL>
<DT>eroute</DT>
<DD>manipulate IPSEC extended routing tables</DD>
<DT>klipsdebug</DT>
<DD>set Klips (kernel IPSEC support) debug features and level</DD>
<DT>spi</DT>
<DD>manage IPSEC Security Associations</DD>
<DT>spigrp</DT>
<DD>group/ungroup IPSEC Security Associations</DD>
<DT>tncfg</DT>
<DD>associate IPSEC virtual interface with real interface</DD>
</DL>
<P>These are all normally invoked by ipsec(8) with commands such as</P>
<PRE>        ipsec tncfg <VAR>arguments</VAR></PRE>
 There are section 8 man pages for all of these; the names have 
&quot;ipsec_&quot;  as a prefix, so your man command should be something like: 
<PRE>        man 8 ipsec_tncfg</PRE>
</DL>
<H2><A name="pluto.roadmap">Pluto key and connection management daemon</A>
</H2>
<P><A href="#Pluto"> Pluto</A> is our key management and negotiation 
daemon. It lives in the pluto directory, along with its low-level user 
utility, whack. </P>
<P> There are no subdirectories. Documentation is a man page, <A href="manpage.d/ipsec_pluto.8.html">
pluto.8</A>. This covers whack as well. </P>
<H2><A name="utils">Utils</A></H2>
<P> The utils directory contains a growing collection of higher-level 
user utilities, the commands that administer and control the software. 
 Most of the things that you will actually have to run yourself are in 
there. </P>
<DL>
<DT>ipsec</DT>
<DD>invoke IPSEC utilities </DD>
<P>ipsec(8) is normally the only program installed in a standard 
 directory, /usr/local/sbin. It is used to invoke the others, both 
those  listed below and the ones in klips/utils mentioned above.</P>
<P>
<DT>auto</DT>
<DD>control automatically-keyed IPSEC connections</DD>
<DT>manual</DT>
<DD>take manually-keyed IPSEC connections up and down</DD>
<DT>barf</DT>
<DD>generate copious debugging output</DD>
<DT>look</DT>
<DD>generate moderate amounts of debugging output</DD>
</DL>
<P> There are .8 manual pages for these. look is covered in barf.8. The 
man pages have an &quot;ipsec_&quot; prefix so your man command should be 
something like: </P>
<PRE>
        man 8 ipsec_auto
</PRE>
<P> Examples are in various files with names utils/*.eg</P>
<H2><A name="lib">Libraries</A></H2>
<H3><A name="fswanlib">FreeS/WAN Library</A></H3>
<P> The lib directory is the FreeS/WAN library, also steadily growing, 
used by both user-level and kernel code.
<BR /> It includes section 3 <A href="manpages.html">man pages</A> for 
the library routines. </P>
<H3><A name="otherlib">Imported Libraries</A></H3>
<H4>LibDES</H4>
 The libdes library, originally from SSLeay, is used by both Klips and 
Pluto for <A href="#3DES">Triple DES</A> encryption. Single DES is not 
used because <A href="#desnotsecure">it is insecure</A>. 
<P> Note that this library has its own license, different from the <A href="#GPL">
GPL</A> used for other code in FreeS/WAN. </P>
<P> The library includes its own documentation. </P>
<H4>GMP</H4>
 The GMP (GNU multi-precision) library is used for multi-precision 
arithmetic in Pluto's key-exchange code and public key code. 
<P> Older versions (up to 1.7) of FreeS/WAN included a copy of this 
library in the FreeS/WAN distribution. </P>
<P> Since 1.8, we have begun to rely on the system copy of GMP. </P>
<HR>
<H1><A name="compat">Linux FreeS/WAN Compatibility Guide</A></H1>
<P> Most of this document is quoted directly from the Linux FreeS/WAN <A href="mail.html">
mailing list</A>. Thanks very much to the community of  testers, 
patchers and commenters there, especially the ones quoted below but 
 also various contributors we haven't quoted.</P>
<H2><A name="spec">Implemented parts of the IPSEC Specification</A></H2>
<P> In general, do not expect Linux FreeS/WAN to do everything yet. 
This is a work-in-progress and some parts of the IPSEC specification 
are not yet implemented.</P>
<H3><A name="in">In Linux FreeS/WAN</A></H3>
<P> Things we do, as of version 1.9:</P>
<UL>
<LI>key management methods 
<DL>
<DT>manually keyed</DT>
<DD>using keys stored in /etc/ipsec.conf</DD>
<DT>automatically keyed</DT>
<DD>Automatically negotiating session keys as required. All 
 connections are automatically re-keyed periodically. The <A href="#Pluto">
 Pluto</A> daemon implements this  using the <A href="#IKE">IKE</A>
 protocol.</DD>
</DL>
</LI>
<LI>Methods of authenticating gateways for IKE 
<DL>
<DT>shared secrets</DT>
<DD>stored in /etc/ipsec.secrets</DD>
<DT>RSA signatures</DT>
<DD>This was new code in 1.3. For details, see pluto(8).</DD>
<DT>looking up RSA authentication keys from <A href="#DNS">DNS</A>.</DT>
<DD>This was new code in 1.4, and is not yet heavily tested. Note  that 
this technique cannot be fully secure until <A href="#SDNS">secure DNS</A>
 is widely deployed.</DD>
</DL>
</LI>
<LI>groups for Diffie-Hellman key negotiation 
<DL>
<DT>group 2, modp 1024-bit</DT>
<DT>group 5, modp 1536-bit</DT>
<DD>We implement these two groups. </DD>
<P> In negotiating a keying connection (ISAKMP SA, Phase 1) we propose 
both  groups when we are the initiator, and accept either when a peer 
proposes  them. Once the keying connection is made, we propose only the 
alternative  agreed there for data  connections (IPSEC SA's, Phase 2) 
negotiated over that keying connection.</P>
</DL>
</LI>
<LI>encryption transforms 
<DL>
<DT><A href="#DES">DES</A></DT>
<DD>DES is in the source code since it is needed to implement  3DES, 
but single DES is not made available to users because <A href="#desnotsecure">
DES is insecure</A>.</DD>
<DT><A href="#3DES">Triple DES</A></DT>
<DD>implemented, and used as the default encryption in Linux  FreeS/WAN.</DD>
</DL>
</LI>
<LI>authentication transforms 
<DL>
<DT>keyed <A href="#MD5">MD5</A></DT>
<DD>implemented, may be used in IKE or by by AH or ESP  transforms.</DD>
<DT>keyed <A href="#SHA">SHA</A></DT>
<DD>implemented, may be used in IKE or by AH or ESP transforms.</DD>
</DL>
</LI>
<P> In negotiations, we propose both of these and accept either. </P>
<LI>compression transforms 
<DL>
<DT>IPComp</DT>
<DD>IPComp as described in RFC 2393 has been added for FreeS/WAN 1.6. 
 It is disabled in the default FreeS/WAN kernel configuration because 
it  is new code, not yet fully trusted. Note that Pluto becomes 
confused if  you ask it to do IPComp when the kernel cannot. </DD>
<P> Some difficulties in interopreation are anticipated with this. The 
RFC  says to leave out some things which many compression libraries put 
in.  We do leave these out, but other implementations may not. </P>
</DL>
</LI>
</UL>
<P> All combinations of implemented transforms are supported. Note that 
some form of packet-level <STRONG>authentication is required whenever 
encryption is used</STRONG>. Without it, the encryption will not be 
secure.</P>
<H3><A name="dropped">Deliberately ommitted</A></H3>
 We do not implement everything in the RFCs because some of those 
things are insecure. See our discussions of avoiding <A href="#weak">
bogus security</A>.
<P>
<P> Things we deliberately omit which are required in the RFCs are:</P>
<UL>
<LI>null encryption (to use ESP as an authentication-only service) </LI>
<LI>single DES </LI>
<LI>DH group 1, a 768-bit modp group </LI>
</UL>
<P> Since these are the only encryption algorithms and DH group the 
RFCs require, it is possible in theory to have a standards-conforming 
implementation which will not interpoperate with FreeS/WAN. Such an 
implementation would be inherently insecure, so we do not consider this 
a problem. Anyway, most implementations sensibly include more secure 
options as well, so dropping null encryption, single DES and Group 1 
does not greatly hinder interoperation in practice.</P>
<P> We also do not implement some optional features allowed by the 
RFCs: </P>
<UL>
<LI>aggressive mode for negotiation of the keying channel or ISAKMP SA. 
This mode is a little faster than main mode, but exposes more 
information to an eavesdropper. </LI>
</UL>
<P> In theory, this should cause no interoperation problems since all 
implementations are required to support the more secure main mode, 
whether or not they also allow aggressive mode. </P>
<P> In practice, it does sometimes produce problems with 
implementations such as Windows 2000 where aggressive mode is the 
default. Typically, these are easily solved with a configuration change 
that overrides that default.</P>
<H3><A name="not">Not (yet) in Linux FreeS/WAN</A></H3>
<P> Things we don't yet do, as of version 1.91:</P>
<UL>
<LI>key management methods 
<UL>
<LI>authenticate key negotiations via local <A href="#PKI">PKI</A>
 server, but see links to user <A href="#patch">patches</A></LI>
<LI>authenticate key negotiations via <A href="#SDNS">secure  DNS</A></LI>
<LI>unauthenticated key management, using <A href="#DH">Diffie-Hellman</A>
 key agreement protocol without  authentication. Arguably, this would 
be worth doing since it is  secure against all passive attacks. On the 
other hand, it is  vulnerable to an active <A href="#middle">
man-in-the-middle  attack</A>.</LI>
<LI>opportunistic IPSEC tunnel creation, in which any two IPSEC aware 
 machines can automatically try to negotiate encryption for any 
 communication, subject of course to their local policies. This is a 
 long-term goal of the Linux FreeS/WAN project, but it requires at 
 least one of: 
<UL>
<LI>a nearly universal PKI</LI>
<LI>widespread use of secure DNS</LI>
<LI>a decision to take the risks of unauthenticated keying</LI>
</UL>
 None of these are in place yet. </LI>
<P>We expect eventually to do it using DNS. The newer versions of <A href="#BIND">
BIND</A> provide much of what we need but they are not  yet widespread 
and our code to communicate with them is not  ready.</P>
<P><STRONG> Update:</STRONG> As of 1.91, we have beta-testable code for 
opportunistic encryption. See our <A href="#oppex">configuration 
document</A>. </P>
</UL>
</LI>
</UL>
<LI>encryption transforms </LI>
<P>Currently <A href="#3DES">Triple DES</A> is the only encryption 
 method Pluto will negotiate.</P>
<P>No additional encryption transforms are yet implemented, though the 
 RFCs allow them and some other IPSEC implementations support various 
of  them. We are not eager to add more, since they complicate both our 
work  and that of the gateway administrator without any obvious 
security  improvement. We would certainly not want to incorporate any 
 cryptographic method that had inadequate key length or had not been 
 sujected to intensive review over some time.</P>
<P>Rjindael, which just won the <A href="#AES">AES</A> competition to 
 choose a successor to the DES standard, is an excellent candidate  for 
inclusion in FreeS/WAN. This might be a good project for a  volunteer.</P>
<LI>authentication transforms </LI>
<P>No optional additional authentication transforms are currently 
 implemented and we do not forsee a need to add any soon.</P>
<LI>Policy checking on decrypted packets </LI>
<P> To fully comply with the RFCs, it is not enough just to accept only 
packets  which survive any firewall rules in place to limit what IPSEC 
packets get in,  and then pass KLIPS authentication. That is what 
FreeS/WAN currently does. </P>
<P> We should also apply additional tests, for example ensuring that 
all packets  emerging from a particular tunnel have sourcen and 
destination addresses that  fall within the subnets defined for that 
tunnel, and that packets with those  addresses that did not emerge from 
the appropriate tunnel are disallowed. </P>
<P> This will be done as part of the KLIPS rewrite currently in 
progress. See  these <A href="#applied">links</A> and the <A href="mail.html">
 design mailing list</A> for discussion. </P>
<H2><A name="pfkey">Our PF-Key implementation</A></H2>
<P>We use PF-key Version Two for communication between the KLIPS kernel 
code  and the Pluto Daemon. PF-Key v2 is defined by <A href="http://www.normos.org/ietf/rfc/rfc2367.txt">
 RFC 2367</A>. </P>
<P>The &quot;PF&quot; stands for Protocol Family. PF-Inet defines a 
kernel/userspace  interface for the TCP/IP Internet protocols (TCP/IP), 
and other members of  the PF series handle Netware, Appletalk, etc. 
PF-Key is just a PF for  key-related matters.</P>
<P>Our PF-Key implementation is not yet (mid-July 2000) complete. In 
 particular, it is mostly one-way, used for Pluto to talk to KLIPS but 
not  yet doing much upward communication from kernel to user space. 
This will  change, but is not at the top of our priority list.</P>
<H3><A name="pfk.port">PF-Key portability</A></H3>
<P> PF-Key came out of Berkeley Unix work and is used in the various 
BSD IPSEC implementations, and in Solaris. This means there is some 
hope of porting our Pluto(8) to one of the BSD distributions, or of 
running their photurisd(8) on Linux if you prefer <A href="#photuris">
Photuris</A> key management over IKE.</P>
<P> It is, however, more complex than that. The PK-Key RFC deliberately 
deals only with keying, not policy management. The three PF-Key 
implementations we have looked at -- ours, OpenBSD and KAME -- all have 
extensions to deal with security policy, and the extensions are 
different. There have been discussions aimed at sorting out the 
differences, perhaps for a version three PF-Key spec. All players are 
in favour of this, but everyone involved is busy and it is not clear 
whether or when these discussions might bear fruit.</P>
<H2><A name="otherk">Kernels other than 2.0.38 and 2.2.18</A></H2>
<P> We develop and test on:</P>
<UL>
<LI>Redhat 6.1 with a 2.2.19 kernel.</LI>
<LI>Redhat 7.1 with a 2.4.4 kernel.</LI>
</UL>
<P> This is what we recommend. </P>
<H3><A name="kernel.2.0">Other 2.0.x Intel Kernels</A></H3>
<P> Consider upgrading to the 2.2 kernel series. If you want to stay 
with the 2.0 series, then we strongly recommend 2.0.39. Some useful 
security patches were added in 2.0.38.</P>
<P> Various versions of the code have run at various times on most 
2.0.xx kernels, but the current version is only lightly tested on 
2.0.39, and not at all on older kernels. </P>
<P> Some of our patches for older kernels are shipped in 2.0.37 and 
later, so they are no longer provided in FreeS/WAN. This means recent 
versions of FreeS/WAN will probably not compile om anything earlier 
than 2.0.37.</P>
<H3><A name="kernel.production">2.2 and 2.4 Kernels</A></H3>
<DL>
<DT>FreeS/WAN 1.0</DT>
<DD>ran only on 2.0 kernels</DD>
<DT>FreeS/WAN 1.1 to 1.8</DT>
<DD>ran on 2.0 or 2.2 kernels
<BR> ran on some development kernels, 2.3 or 2.4-test</DD>
<DT>FreeS/WAN 1.9</DT>
<DD>runs on 2.0, 2.2 or 2.4 kernels</DD>
</DL>
<P> In general, <STRONG>we suggest the latest 2.2 kernel or 2.4 for 
production use</STRONG>. At time of writing (early June 2001, just 
before our 1.91 release) these are 2.2.19 and 2.4.5. </P>
<P> Of course no release can be guaranteed to run on kernels more 
recent than it is, so quite often there will be no stable FreeS/WAN for 
the absolute latest kernel. See the <A href="#k.versions">FAQ</A> for 
discussion. </P>
<H2><A name="otherdist">Intel Linux distributions other than Redhat</A></H2>
<P> We develop and test on Redhat 6.1 for 2.2 kernels, and on Redhat 
7.1 for 2.4, so minor changes may be required for other distributions.</P>
<H3><A name="rh7">Redhat 7.0</A></H3>
<P> There are some problems with FreeS/WAN on Redhat 7.0, but they are 
soluble. </P>
<P> Redhat 7 ships with two compilers. </P>
<UL>
<LI>Their <VAR>gcc</VAR> is version 2.96. Various people, including the 
GNU compiler developers and Linus, have said fairly emphatically that 
using this was a mistake. 2.96 is a development version, not intended 
for production use. In particular, it will not compile a Linux kernel. </LI>
<LI> Redhat therefore also ship a separate compiler, which they call <VAR>
kgcc</VAR>, for compiling kernels. </LI>
</UL>
<P> Kernel Makefiles have <VAR>gcc</VAR> as a default, and must be 
adjusted to use <VAR>kgcc</VAR> before a kernel will compile on 7.0. 
This mailing list message gives details: </P>
<PRE>
Subject: Re: AW: Installing IPSEC on Redhat 7.0
   Date: Thu, 1 Feb 2001 14:32:52 -0200 (BRST)
  From: Mads Rasmussen &lt;mads@cit.com.br&gt;
 
&gt; From www.redhat.com/support/docs/gotchas/7.0/gotchas-7-6.html#ss6.1

cd to /usr/src/linux and open the Makefile in your favorite editor. You
will need to look for a line similar to this:

CC = $(CROSS_COMPILE)gcc -D__KERNEL__ -I$(HPATH)


This line specifies which C compiler to use to build the kernel. It should
be changed to:

CC = $(CROSS_COMPILE)kgcc -D__KERNEL__ -I$(HPATH)

for Red Hat Linux 7. The kgcc compiler is egcs 2.91.66. From here you can
proceed with the typical compiling steps.
</PRE>
 Check the <A href="mail.html">mailing list</A> archive for more recent 
news.
<H3><A name="suse">SuSE Linux</A></H3>
<P> SuSE 6.3 and later versions, at least in Europe, ship with 
FreeS/WAN included.</P>
<P>Here are some notes for an earlier SuSE version.</P>
<H4>SuSE Linux 5.3</H4>
<PRE>Date: Mon, 30 Nov 1998
From: Peter Onion &lt;ponion@srd.bt.co.uk&gt;

... I got Saturdays snapshot working between my two SUSE5.3 machines at home.

The mods to the install process are quite simple.  From memory and looking at
the files on the SUSE53 machine here at work....

And extra link in each of the /etc/init.d/rc?.d directories called K35ipsec
which SUSE use to shut a service down.

A few mods in /etc/init.d/ipsec  to cope with the different places that SUSE
put config info, and remove the inculsion of /etc/rc.d/init.d/functions and .
/etc/sysconfig/network as they don't exists and 1st one isn't needed anyway.

insert &quot;. /etc/rc.config&quot; to pick up the SUSE config info and use 

  if test -n &quot;$NETCONFIG&quot; -a &quot;$NETCONFIG&quot; != &quot;YAST_ASK&quot; ; then

to replace 

  [ ${NETWORKING} = &quot;no&quot; ] amp; exit 0

Create /etc/sysconfig  as SUSE doesn't have one.

I think that was all (but I prob forgot something)....</PRE>
<P>You may also need to fiddle initialisation scripts to ensure that 
 /var/run/pluto.pid is removed when rebooting. If this file is present, 
Pluto  does not come up correctly.</P>
<H3><A name="slack">Slackware</A></H3>
<PRE>
Subject: Re: linux-ipsec: Slackware distribution
  Date:  Thu, 15 Apr 1999 12:07:01 -0700
  From:  Evan Brewer &lt;dmessiah@silcon.com&gt;

&gt; Very shortly, I will be needing to install ipsec on at least gateways that
&gt; are running Slackware. . . .

The only trick to getting it up is that on the slackware dist there is no
init.d directory in /etc/rc.d .. so create one.  Then, what I do is take the
ipsec startup script which normally gets put into the init.d directory, and
put it in /etc/rc.d and name ir rc.ipsec .. then I symlink it to the file
in init.d.  The only file in the dist you need to really edit is the
utils/Makefile, setup4:

Everything else should be just fine.
</PRE>
 A year or so later: 
<PRE>
Subject: Re: HTML Docs- Need some cleanup?
   Date: Mon, 8 Jan 2001
   From: Jody McIntyre &lt;jodym@oeone.com&gt;

I have successfully installed FreeS/WAN on several Slackware 7.1 machines.
FreeS/WAN installed its rc.ipsec file in /etc/rc.d.  I had to manually call
this script from rc.inet2.  This seems to be an easier method than Evan
Brewer's.
</PRE>
<H3><A name="deb">Debian</A></H3>
<PRE>Subject: FreeS/WAN 1.0 on Debian 2.1
   Date: Tue, 20 Apr 1999
  From:  Tim Miller &lt;cerebus+counterpane@haybaler.sackheads.org&gt;

        Compiled and installed without error on a Debian 2.1 system
with kernel-source-2.0.36 after pointing RCDIR in utils/Makefile to
/etc/init.d.

        /var/lock/subsys/ doesn't exist on Debian boxen, needs to be
created; not a fatal error.

        Finally, ipsec scripts appear to be dependant on GNU awk
(gawk); the default Debian awk (mawk-1.3.3-2) had fatal difficulties.
With gawk installed and /etc/alternatives/awk linked to /usr/bin/gawk
operation appears flawless.</PRE>
<P> The scripts in question have been modified since this was posted. 
Awk versions should no longer be a problem.</P>
<H3><A name="caldera">Caldera</A></H3>
<PRE>
Subject: Re: HTML Docs- Need some cleanup?
   Date: Mon, 08 Jan 2001
   From: Andy Bradford &lt;andyb@calderasystems.com&gt;

On Sun, 07 Jan 2001 22:59:05 EST, Sandy Harris wrote:

&gt;     Intel Linux distributions other than Redhat 5.x and 6.x 
&gt;         Redhat 7.0 
&gt;         SuSE Linux 
&gt;             SuSE Linux 5.3 
&gt;         Slackware 
&gt;         Debian 

Can you please include Caldera in this list?  I have tested it since 
FreeS/Wan 1.1 and it works great with our systems---provided one 
follows the FreeS/Wan documentation. :-)

Thank you,
Andy
</PRE>
<H2><A name="CPUs">CPUs other than Intel</A></H2>
<P> FreeS/WAN has been run sucessfully on a number of different CPU 
architectures. If you have tried it on one not listed here, please post 
to the <A href="mail.html">mailing list</A>.</P>
<H3><A name=" strongarm">Corel Netwinder (StrongARM CPU)</A></H3>
<PRE>Subject: linux-ipsec: Netwinder diffs
Date: Wed, 06 Jan 1999
From: rhatfield@plaintree.com

I had a mistake in my ipsec-auto, so I got things working this morning.

Following are the diffs for my changes.  Probably not the best and cleanest way 
of doing it, but it works. . . . </PRE>
<P>These diffs are in the 0.92 distribution and any snapshot after Feb 
20  1999, so these should work out-of-the-box on Netwinder.</P>
<H3><A name="yellowdog">Yellow Dog Linux on Power PC</A></H3>
<PRE>Subject:  Compiling FreeS/WAN 1.1 on YellowDog Linux (PPC)
   Date:  11 Dec 1999
   From:  Darron Froese &lt;darron@fudgehead.com&gt;

I'm summarizing here for the record - because it's taken me many hours to do
this (multiple times) and because I want to see IPSEC on more linuxes than
just x86.

Also, I can't remember if I actually did summarize it before... ;-) I'm
working too many late hours.

That said - here goes.

1. Get your linux kernel and unpack into /usr/src/linux/ - I used 2.2.13.
&lt;http://www.kernel.org/pub/linux/kernel/v2.2/linux-2.2.13.tar.bz2&gt;

2. Get FreeS/WAN and unpack into /usr/src/freeswan-1.1
&lt;ftp://ftp.xs4all.nl/pub/crypto/freeswan/freeswan-1.1.tar.gz&gt;

3. Get the gmp src rpm from here:
&lt;ftp://ftp.yellowdoglinux.com//pub/yellowdog/champion-1.1/SRPMS/SRPMS/gmp-2.0.2-9a.src.rpm&gt;

4. Su to root and do this: rpm --rebuild gmp-2.0.2-9a.src.rpm

You will see a lot of text fly by and when you start to see the rpm
recompiling like this:

Executing: %build
+ umask 022
+ cd /usr/src/redhat/BUILD
+ cd gmp-2.0.2
+ libtoolize --copy --force
Remember to add `AM_PROG_LIBTOOL' to `configure.in'.
You should add the contents of `/usr/share/aclocal/libtool.m4' to
`aclocal.m4'.
+ CFLAGS=-O2 -fsigned-char
+ ./configure --prefix=/usr

Hit Control-C to stop the rebuild. NOTE: We're doing this because for some
reason the gmp source provided with FreeS/WAN 1.1 won't build properly on
ydl.

cd /usr/src/redhat/BUILD/
cp -ar gmp-2.0.2 /usr/src/freeswan-1.1/
cd /usr/src/freeswan-1.1/
rm -rf gmp
mv gmp-2.0.2 gmp

5. Open the freeswan Makefile and change the line that says:
KERNEL=$(b)zimage (or something like that) to
KERNEL=vmlinux

6. cd ../linux/

7. make menuconfig
Select an option or two and then exit - saving your changes.

8. cd ../freeswan-1.1/ ; make menugo

That will start the whole process going - once that's finished compiling,
you have to install your new kernel and reboot.

That should build FreeS/WAN on ydl (I tried it on 1.1).</PRE>
 And a later message on the same topic: 
<PRE>Subject: Re: FreeS/WAN, PGPnet and E-mail
   Date: Sat, 22 Jan 2000
   From: Darron Froese &lt;darron@fudgehead.com&gt;

on 1/22/00 6:47 PM, Philip Trauring at philip@trauring.com wrote:

&gt; I have a PowerMac G3 ...

The PowerMac G3 can run YDL 1.1 just fine. It should also be able to run
FreeS/WAN 1.2patch1 with a couple minor modifications:

1. In the Makefile it specifies a bzimage for the kernel compile - you have
to change that to vmlinux for the PPC.

2. The gmp source that comes with FreeS/WAN (for whatever reason) fails to
compile. I have gotten around this by getting the gmp src rpm from here:

ftp://ftp.yellowdoglinux.com//pub/yellowdog/champion-1.1/SRPMS/SRPMS/gmp-2.0.2-9a.src.rpm

If you rip the source out of there - and place it where the gmp source
resides it will compile just fine.</PRE>
<H3><A name="mklinux">Mklinux</A></H3>
<P>One user reports success on the Mach-based <STRONG> m</STRONG>icro<STRONG>
k</STRONG>ernel Linux.</P>
<PRE>Subject: Smiles on sparc and ppc
   Date: Fri, 10 Mar 2000
   From: Jake Hill &lt;jah@alien.bt.co.uk&gt;

You may or may not be interested to know that I have successfully built
FreeS/WAN on a number of non intel alpha architectures; namely on ppc
and sparc and also on osfmach3/ppc (MkLinux). I can report that it just
works, mostly, with few changes.</PRE>
<H3><A name="alpha">Alpha 64-bit processors</A></H3>
<PRE>Subject: IT WORKS (again) between intel &amp; alpha :-)))))
   Date: Fri, 29 Jan 1999
   From: Peter Onion &lt;ponion@srd.bt.co.uk&gt;

Well I'm happy to report that I've got an IPSEC connection between by intel &amp; alpha machines again :-))

If you look back on this list to 7th of December I wrote...

-On 07-Dec-98 Peter Onion wrote:
-&gt; 
-&gt; I've about had enuf of wandering around inside the kernel trying to find out
-&gt; just what is corrupting outgoing packets...
-
-Its 7:30 in the evening .....
-
-I FIXED IT  :-))))))))))))))))))))))))))))))))
-
-It was my own fault :-((((((((((((((((((
-
-If you ask me very nicly I'll tell you where I was a little too over keen to
-change unsigned long int __u32 :-)  OPSE ...
-
-So tomorrow it will full steam ahead to produce a set of diffs/patches against
-0.91 
-
-Peter Onion.
</PRE>
<P>In general (there have been some glitches), FreeS/WAN has been 
running on  Alphas since then.</P>
<H3><A name="SPARC">Sun SPARC processors</A></H3>
<P>Several users have reported success with FreeS/WAN on SPARC Linux. 
Here  is one mailing list message:</P>
<PRE>
Subject: Smiles on sparc and ppc
   Date: Fri, 10 Mar 2000
   From: Jake Hill &lt;jah@alien.bt.co.uk&gt;

You may or may not be interested to know that I have successfully built
FreeS/WAN on a number of non intel alpha architectures; namely on ppc
and sparc and also on osfmach3/ppc (MkLinux). I can report that it just
works, mostly, with few changes.

I have a question, before I make up some patches. I need to hack
gmp/mpn/powerpc32/*.s to build them. Is this ok? The changes are
trivial, but could I also use a different version of gmp? Is it vanilla
here?

I guess my only real headache is from ipchains, which appears to stop
running when IPSec has been started for a while. This is with 2.2.14 on
sparc.</PRE>
<P> This message, from a different mailing list, may be relevant for 
anyone working with FreeS/WAN on Suns:</P>
<PRE>
Subject: UltraSPARC DES assembler
   Date: Thu, 13 Apr 2000
   From: svolaf@inet.uni2.dk (Svend Olaf Mikkelsen)
     To: coderpunks@toad.com

An UltraSPARC assembler version of the LibDES/SSLeay/OpenSSL des_enc.c
file is available at http://inet.uni2.dk/~svolaf/des.htm.

This brings DES on UltraSPARC from slower than Pentium at the same
clock speed to significantly faster.
</PRE>
<H3><A name="mips">MIPS processors</A></H3>
<P>We know FreeS/WAN runs on at least some MIPS processors because <A href="http://www.lasat.com">
Lasat</A> (who host our freeswan.org web site)  manufacture an IPSEC 
box based on an embedded MIPS running Linux with  FreeS/WAN. We have no 
details.</P>
<H3><A name="coldfire">Motorola Coldfire</A></H3>
<PRE>
Subject: Re: Crypto hardware support
   Date: Mon, 03 Jul 2000
   From: Dan DeVault &lt;devault@tampabay.rr.com&gt;

.... I have been running
uClinux with FreeS/WAN 1.4 on a system built by Moreton Bay  (
http://www.moretonbay.com )  and it was using a Coldfire processor
and was able to do the Triple DES encryption at just about
1 mbit / sec rate.......  they put a Hi/Fn 7901 hardware encryption
chip on their board and now their system does over 25 mbit of 3DES
encryption........ pretty significant increase if you ask me.
</PRE>
<H2><A name="multiprocessor">Multiprocessor machines</A></H2>
<P> FreeS/WAN is designed to work on SMP (symmetric multi-processing) 
Linux machines and is regularly tested on dual processor x86 machines. </P>
<P> We do not know of any testing on multi-processor machines with 
other CPU architectures or with more than two CPUs. Anyone who does 
test this, please report results to the <A href="mail.html">mailing list</A>
. </P>
<P> The current design does not make particularly efficient use of 
multiprocessor machines; some of the kernel work is single-threaded. 
This issue is being addressed in the KLIPS II redesign. </P>
<H2><A name="hardware">Support for crypto hardware</A></H2>
<P> Supporting hardware cryptography accelerators has not been a high 
priority for the development team because it raises a number of fairly 
complex issues:</P>
<UL>
<LI>Can you trust the hardware? If it is not Open Source, how do you 
audit its security? Even if it is, how do you check that the design has 
no concealed traps?</LI>
<LI>If an interface is added for such hardware, can that interface be 
subverted or misused?</LI>
<LI>Is hardware acceleration actually a performance win? It clearly is 
in many cases, but on a fast machine it might be better to use the CPU 
for the encryption than to pay the overheads of moving data to and from 
a crypto board.</LI>
<LI>the current KLIPS code does not provide a clean interface for 
hardware accelerators</LI>
</UL>
<P> That said, we have a <A href="#coldfire">report</A> of FreeS/WAN 
working with one crypto accelerator and some work is going on to modify 
KLIPS to create a clean generic interface to such products. See this <A href="http://www.jukie.net/~bart/linux-ipsec/">
web page</A> for some of the design discussion. </P>
<H2><A name="ipv6">IP version 6 (IPng)</A></H2>
 The Internet currently runs on version four of the IP protocols. IPv4 
is what is in the standard Linux IP stack, and what FreeS/WAN was built 
for. In IPv4, IPSEC is an optional feature. 
<P> The next version of the IP protocol suite is version six, usually 
abbreviated either as &quot;IPv6&quot; or as &quot;IPng&quot; for &quot;IP: the next 
generation&quot;. For IPv6, IPSEC is a required feature. Any machine doing 
IPv6 is required to support IPSEC, much as any machine doing (any 
version of) IP is required to support ICMP.</P>
<P> There is a Linux implementation of IPv6 in Linux kernels 2.2 and 
above. For details, see the <A href="http://www.cs-ipv6.lancs.ac.uk/ipv6/systems/linux/faq/">
FAQ</A>. It does not yet support IPSEC. The <A href="http://www.linux-ipv6.org/">
USAGI</A> project are also working on IPv6 for Linux.</P>
<P> FreeS/WAN was originally built for the current standard, IPv4, but 
we are interested in seeing it work with IPv6. Some progress has been 
made, but at time of writing (February 2001), the job is not complete. 
For more recent information, check the <A href="mail.html">mailing list</A>
.</P>
<P> The first release of FreeS/WAN (1.8) patched for IPv6 support is 
now <A href="http://www.ipv6.iabg.de/downloadframe/index.html">
 available</A>. </P>
<H3><A name="v6.back">IPv6 background</A></H3>
<P> IPv6 has been specified by an IETF <A href="http://www.ietf.org/html.charters/ipngwg-charter.html">
working group</A>. The group's page lists over 30 RFCs to date, and 
many Internet Drafts as well. The overview is <A href="http://www.ietf.org/rfc/rfc2460.txt">
RFC 2460</A>. Major features include: </P>
<UL>
<LI>expansion of the address space from 32 to 128 bits, </LI>
<LI>changes to improve support for 
<UL>
<LI>mobile IP </LI>
<LI>automatic network configuration </LI>
<LI>quality of service routing </LI>
<LI>... </LI>
</UL>
</LI>
<LI>improved security via IPSEC </LI>
</UL>
<P> A number of projects are working on IPv6 implementation. A 
prominent Open Source effort is <A href="http://www.kame.net/">KAME</A>
, a collaboration among several large Japanese companies to implement 
IPv6 for Berkeley Unix. Other major players are also working on IPv6. 
For example, see pages at <A href="http://playground.sun.com/pub/ipng/html/ipng-main.html">
Sun</A>, <A href="http://www.cisco.com/warp/public/732/ipv6/index.html">
Cisco</A> and <A href="http://www.microsoft.com/WINDOWS2000/library/howitworks/communications/networkbasics/IPv6.asp">
Microsoft</A>. The <A href="http://www.6bone.net/">6bone</A> (IPv6 
backbone) testbed network has been up for some time. There is an active <A
href="http://www.ipv6.org/">IPv6 user group</A>. </P>
<P> One of the design goals for IPv6 was that it must be possible to 
convert from v4 to v6 via a gradual transition process. Imagine the 
mess if there were a &quot;flag day&quot; after which the entire Internet used 
v6, and all software designed for v4 stopped working. Almost every 
computer on the planet would need major software changes! There would 
be huge costs to replace older equipment. Implementers would be worked 
to death before &quot;the day&quot;, systems administrators and technical support 
would be completely swamped after it. The bugs in every implementation 
would all bite simultaneously. Large chunks of the net would almost 
certainly be down for substantial time periods. ... </P>
<P> Fortunately, the design avoids any &quot;flag day&quot;. It is therefore a 
little tricky to tell how quickly IPv6 will take over.  The transition 
has certainly begun. For examples, see announcements from <A href="http://www.mailbase.ac.uk/lists/internet2/2000-03/0016.html">
NTT</A> and <A href="http://www.vnunet.com/News/1102383">Nokia</A>. 
However, it is not yet clear how quickly the process will gain 
momentum, or when it will be completed. Likely large parts of the 
Internet will remain with IPv4 for years to come. </P>
<HR>
<H1 name="interop"><A NAME="10">Interoperation with other IPSEC 
implementations</A></H1>
<P> The IPSEC protocols are designed to allow interoperation between 
different implementations. Other sections of this documentation have 
more detail on: </P>
<UL>
<LI>the IPSEC <A href="ipsec.html">protocol specifications</A></LI>
<LI>parts of the protocols <A href="#spec">implemented or ommitted</A>
 in FreeS/WAN </LI>
<LI><A href="#implement">other implementations</A></LI>
</UL>
<P> FreeS/WAN does interoperate successfully with many other 
implementations. The ones we know about are listed <A href="#mail.interop">
below</A>.</P>
<P> Of course &quot;the devil is in the details&quot; and the IPSEC protocols 
have a lot of details. At least one <A href="http://www.counterpane.com/ipsec.pdf">
critique</A> has argued that the protocols should be simplified. 
Various of those details can and do cause difficulties for 
interoperation. Should you encounter such problems, please let us know 
via the <A href="mail.html">mailing list</A>. We will likely be able to 
help you, and your report may be useful both to other users and to the 
implementation teams.</P>
<P><STRONG> Note:</STRONG> This file is updated often, whenever I 
notice an interesting interop report on the mailing list. If you are 
reading the version that ships with a FreeS/WAN release or is posted on 
the web, and what you need isn't here, consider downloading the latest 
snapshot to get the latest version of the doc. Perhaps I've added what 
you need since the last release. </P>
<P> There is additional information on interoperability testing in our <A
href="#interop">web links</A> section. </P>
<H2><A name="patch.interop">Patches to extend interoperability</A></H2>
 Sometimes interoperation requires user-contributed patches or add-ons 
on the FreeS/WAN end. In general, no patches to the actual IPSEC code 
are required. The problem is to make FreeS/WAN recognise RSA keys 
stored in formats other than ours. Each such format needs either a 
patch to make FreeS/WAN understand that format or a utility to 
translate it to the FreeS/WAN format. 
<P> For example, unmodified FreeS/WAN cannot use RSA keys generated by <A
href="#PGP">PGP</A> or keys stored in <A href="glossary.html#X.509">
X.509</A> certificates, but patches or utilities are available for both 
those formats. See this list of <A href="#patch"> patches and add-ons</A>
. </P>
<H2><A name="interop.problem">Interoperability problems</A></H2>
<P> The IPSEC RFCs are complex and include a number of optional 
features.  There is considerable opportunity for even two correct, 
standard-conforming,  implementations to disagree on details in a way 
that blocks interoperation.  Of course, misinterpretations of the 
standards and implementation or  configuration errors on either end can 
also foul things up.</P>
<P>That said, FreeS/WAN interoperates successfully with many other 
 implementations. There is a <A href="#mail.interop">list</A> below.</P>
<P> Known areas where problems may appear are:</P>
<UL>
<LI><STRONG>FreeS/WAN does not implement single DES</STRONG> because <A href="#desnotsecure">
DES is insecure</A>. Suggestions on what to do if  the device you want 
to talk to has only DES are <A href="#noDES">below</A>.</LI>
<LI><STRONG>FreeS/WAN does not implement Diffie-Hellman group 1</STRONG>
 because it  it is not entirely clear that this is secure.</LI>
<LI>The RFCs define two modes for IKE negotiations -- main mode and 
 aggressive mode. Aggressive mode is slightly faster, but reveals more 
 information to an eavesdropper. Specifically, it lets an eavesdropper 
 know what identities are in use. <STRONG>FreeS/WAN does not implement 
 aggressive mode</STRONG>, so any negotiation another implementation 
 tries that way will fail. </LI>
<P> In principle this should not be a problem  since main mode support 
is required in all implementations and aggressive  mode is optional. 
 In practice, it is sometimes a problem.  Some implementations default 
to  aggressive mode unless you configure them for main mode.</P>
<LI> For automatic keying, <STRONG>the FreeS/WAN default is to provide <A
href="#PFS"> perfect forward secrecy</A></STRONG>. We see no reason not 
 to; this is more secure and costs little. Some other implementations, 
 however, turn PFS off by default. </LI>
<P> You can turn PFS off in FreeS/WAN with the <VAR>pfs=no</VAR>
 setting in <A href="manpage.d/ipsec.conf.5.html"> ipsec.conf(5)</A>, 
but if possible  we suggest you enable it on the other end instead. 
That is more secure.</P>
<LI> The IKE protocol allows several types of optional message. Two 
things happen  which are allowed by the RFCs: 
<UL>
<LI>Some implementations send various optional messages. </LI>
<LI>FreeS/WAN ignores them. </LI>
</UL>
 However, problems may arise if the other end relies on some expected 
effect  of these messages. There are two FAQ questions dealing with 
this, one on the <A href="#ignore"> log message</A> FreeS/WAN gives 
when ignoring  optional payloads and one on the <A href="#deadtunnel">
delete SA</A> payload. </LI>
</UL>
<P> The general rule is that to interoperate with FreeS/WAN, the other 
implementation should be configured for:</P>
<UL>
<LI>main mode</LI>
<LI>triple DES encryption</LI>
<LI>Diffie-Hellman Group 2 or 5 </LI>
</UL>
<P> This is possible for most implementations.</P>
<H3><A name="noDES">Systems that want to use single DES</A></H3>
<P> Linux FreeS/WAN does not support single DES transforms. Neither 
Pluto's IKE connections nor KLIPS' IPSEC connections can use DES. Since <A
href="#desnotsecure">DES is insecure</A> we do not, and will not at any 
future time, provide it.</P>
<P> DES is, unfortunately, a mandatory part of the <A href="#IPSEC">
IPSEC</A> standard. Despite that, we will not implement DES. We believe 
it is more important to provide security than to comply with a standard 
which has been <A href="#weak">subverted</A> into allowing weak 
algorithms. See our <A href="politics.html">history and politics</A>
 section for discussion.</P>
<P> Some implementations may offer DES as the default. In such cases we 
urge you to change them to <A href="#3DES">Triple DES</A>. If this is 
not possible, for example because <A href="#exlaw">export laws</A>
 prevent your vendor from offerring you adequate crytography, we urge 
you to complain vigorously to one or more of:</P>
<UL>
<LI>your government, especially any department concerned with 
protecting citizens'  privacy or your nation's communication 
infrastructure</LI>
<LI>the vendor</LI>
<LI>the embassy of the nation whose laws are problematic for you</LI>
</UL>
<P> Consider using FreeS/WAN instead. PCs are cheap and we deliver 3DES 
now. </P>
<P> FreeS/WAN does have <A href="#DES">DES</A> code in it as a sort of 
historical accident, since we need it to implement our default 
(currently, our only) block cipher, <A href="#3DES">Triple DES</A>. 
However, since <A href="#desnotsecure">DES is insecure</A>, we do not 
provide any interface to that code.</P>
<P> As a matter of project policy, we will not help anyone subvert 
FreeS/WAN to provide <A href="#desnotsecure">insecure DES encryption</A>
. </P>
<H2><A name="otherpub">Interop HowTo documents</A></H2>
<P> The FreeS/WAN team does not have the resources to test with 
anything like the full range of <A href="#implement">other IPSEC 
implementations</A> out there. Fortunately, some of our users are doing 
a fine job of filling the gap by providing HowTo information:</P>
<UL>
<LI>Hans-Jorg Hoxer's <A href="http://www.rommel.stw.uni-erlangen.de/~hshoexer/ipsec-howto/HOWTO.html">
 HowTo</A> covering interoperation between any two of: 
<UL>
<LI>FreeS/WAN</LI>
<LI>Open BSD IPSEC</LI>
<LI>Windows 98 with PGPnet</LI>
</UL>
</LI>
<LI>Jean-Francois Nadeau's <A href="http://jixen.tripod.com/">practical 
 configurations</A> document covers FreeS/WAN interoperation with 
<UL>
<LI>Windows 2000 IPSEC</LI>
<LI>NAI PGPnet</LI>
<LI>IRE Safenet SoftPK.</LI>
</UL>
</LI>
<LI>Oscar Delgado's <A href="http://tirnanog.ls.fi.upm.es/CriptoLab/Biblioteca/InfTech/InfTech_CriptoLab.htm">
 page</A> has a PDF document covering interop using X.509  certificates 
between FreeS/WAN and: 
<UL>
<LI>Windows 2000 </LI>
<LI>PGPnet </LI>
</UL>
</LI>
<LI>Terrandon Communications provide a <A href="http://www.terradoncommunications.com/security/whitepapers/safe_net-to-free_swan.pdf">
 PDF HowTO</A> on using FreeS/WAN with IRE SafeNet </LI>
<LI>Telenor provide a HowTo on <A href="http://security.nta.no/freeswan-w2k.html">
FreeS/WAN and Windows 2000</A></LI>
<LI>Carl's Guide for <A href="http://el06-24-29-255-187.ce.mediaone.net/carl/linux/ipsec/swan-w2k/swanw2k-b.html">
 FreeS/WAN and Windows 2000</A></LI>
<LI>Ryan's <A href="http://www-ec.njit.edu/~rxt1077/Howto.txt">HowTo</A>
 for getting PGPnet to  connect with FreeS/WAN using x509 certs through 
a Linksys router, with IPSec passthru enabled. </LI>
</UL>
<P> See also our list of available <A href="#patch">patches and add-ons</A>
. </P>
<H2><A name="mail.interop">Interoperation with specific products</A></H2>
<P> Most of the information in this section is gleaned from the mailing 
list. For additional information, search one of the list <A href="#archives">
archives</A>.</P>
<P> A large thank you is in order to all the list contributors. This 
document would not exist without you. </P>
<P><STRONG> Anyone who has tested with an implementation not listed 
here, please report results</STRONG> to the <A href="mail.html">mailing 
list</A>. I generally include the sender's email address when I quote 
list messages here; &quot;credit where credit is due&quot;. If you would prefer 
that I not do that with yours, please mention that.</P>
<H3><A name="oldswan">Older versions of FreeS/WAN</A></H3>
 Any two versions of FreeS/WAN should interoperate, and many 
combinations have been tested doing so successfully. In particular, 
every release is tested against its predecessor before it goes out. 
<P> However, if you do encounter a problem involving an older version, 
we are likely to suggest you upgrade. We do not have the resources to 
support multiple versions. </P>
<P> The <A href="#old_to_new">FAQ</A> also discusses this. </P>
<H3><A name="OpenBSD">OpenBSD</A></H3>
 Two documents we know of cover interoperation between FreeS/WAN and 
Open BSD IPSEC: 
<UL>
<LI>Hans-Jorg Hoxer's <A href="http://www.rommel.stw.uni-erlangen.de/~hshoexer/ipsec-howto/HOWTO.html">
HowTo</A></LI>
<LI>Skyper's <A href="http://www.segfault.net/ipsec/">guide</A></LI>
</UL>
<P> This report is from one of the OpenBSD IPSEC developers, a regular 
 participant on our mailing list:</P>
<PRE>
Subject: spi.c bug
   Date: Tue, 23 Feb 1999
   From: Niklas Hallqvist &lt;niklas@appli.se&gt;

PS.  I don't know if you have an interop list anywhere, but you should
know FreeS/WAN interops with OpenBSD both at the IPSec level and at
the IKE level.
</PRE>
<P> He has also talked of porting NetBSD's isakmpd(8) to Linux, but has 
(as of late April '99) made no announcement of availability. This would 
provide an alternative to our pluto(8) daemon with a somewhat different 
feature set. Our <A href="#KLIPS">KLIPS</A> kernel code would still be 
used.</P>
<P> The <A href="http://www.openbsd.org/faq/faq13.html">OpenBSD FAQ</A>
 includes information on their IPSEC implementation. </P>
<H3><A name="FreeBSD">FreeBSD</A></H3>
<P>The only <A href="http://www.r4k.net/ipsec/">reference</A> we have 
to IPSEC for FreeBSD says their code was ported from OpenBSD.</P>
<P> Here is a mailing list message on FreeBSD interoperation: </P>
<PRE>
Subject: Re: Interop with [Free|Open|Net]BSD
   Date: Fri, 29 Dec 2000
   From: Ghislaine Labouret &lt;Ghislaine.Labouret@hsc.fr&gt;

On Thu, 28 Dec 2000 13:53:01 -0500, Sandy Harris wrote:

&gt; FreeBSD:
&gt; 
&gt; For FreeBSD, I find list discussion of 3DES key formats, presumably for manual
&gt; keying. We have 192-bit, 3 64-bit keys including parity bits, while FreeBSD 4.0
&gt; used 168-bit, 3 56-bit keys without the parity bits. Has FreeBSD changed this?

I still don't understand what made Spike Gronim say that KAME wants a
168 bits key; I have always been using 192 bits keys with KAME and had
no interoperability problem between KAME and FreeS/WAN using manual
keying.

&gt; For auto keying, I find reports of sucessful use of pre-shared secrets, but
&gt; nothing on RSA authentication.

I had KAME (20001023 snapshot) and FreeS/WAN 1.6 successfully
interoperate using both PSK and RSA-sig authentication. The config
files, certificates and test keys used are available online:
http://www.hsc.fr/ipsec/ipsec2000/kame/
http://www.hsc.fr/ipsec/ipsec2000/freeswan/
Not much details though, as this is just a report and not a how-to. Will
improve it if I can find spare time.

&gt; Does FreeBSD support that? 

KAME can use RSA-sig and can either exchange certificates online or get
them from a file. I tested the latter. No test with the X.509 patch for
FreeS/WAN yet, though that's in my short term plans too.

&gt; Are the key formats compatible, or has anyone written translation code?

KAME wants the keys inside certificates, in PEM format. To extract the
keys for FreeS/WAN I used the fswcert utility, but it can be done &quot;by
hand&quot; using openssl.
</PRE>
<H3><A name="NetBSD">NetBSD</A></H3>
 NetBSD has an IPSEC implementation, described in this <A href="http://www.netbsd.org/Documentation/network/ipsec/">
FAQ</A>. 
<H3><A name="Cisco">Cisco Routers</A></H3>
 Useful pages on Cisco sites include: 
<UL>
<LI><A href="http://www.cisco.com/warp/public/471/top_issues/vpn/vpn_index.shtml">
VPN support</A></LI>
<LI><A href="http://www.ieng.com/warp/public/700/tech_configs.html">
sample configurations</A></LI>
</UL>
<P> Here is a mailing list <A href="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/11/msg00578.html">
message</A> with subject &quot;FreeS/WAN and Cisco 3030 VPN Concentrator&quot; 
and an attached MS-Word document on the setup. </P>
<P> A sample FreeS/WAN configuration, used in testing with Cisco at an 
interop conference, is in another list <A href="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2001/01/msg00095.html">
message</A>. Unfortunately, it does not give the matching Cisco 
configuration. </P>
<P> Here is our first interop success report: </P>
<PRE>
Subject: cisco &lt;-&gt; pluto IKE interop is here........
   Date: Thu, 28 Jan 1999
   From: Ian Calderbank

Ok, tried todays pluto (28 jan) snapshot against a (wait for it) 3des
cisco box, one with some more serious grunt for benchmarking when the time
comes. 

And the good news is that pluto and cisco's IKE seem to interoperate. At
the end of things both devices seem to be happy that they have IKE and
IPSEC SA's. I can't send any traffic over it cos klips seems to be broken
(peter seems to be on the case), but fundamentally, pluto seems to be
interoperable with cisco for SA negotiation.

I've attached some ipsec barf output - pluto still complains a few times,
but it gets there :-)
</PRE>
<P> A later message from Ian:</P>
<PRE>
This configuration is provided as-is and with no assistance or guarantee
that it works whatsover. In particular your attention is drawn to the versions
of operating systems and IPSEC that were used in the test. Configurations
for later versions of freeswan and cisco IOS may well be different.

Cisco router: 3640 (R4700 processor), ios 12.0(2a)T1), 3DES IPSEC feature set
( you do need the 3des version).
Linux box: P150, freeswan 29/jan/99 snapshot, Redhat 5.2, kernel 2.0.36.
Interconnect: 10 Base T.
Algorithm: ESP 3des/md5

CPU loadings: 
Cisco 3640 : 98%
Freeswan P150 : load average: 0.08, 0.06, 0.01

Throughput: 1.1 Mbit/sec at the application layer, approx 1.2Mbit/sec, 100 packet/sec on 
the external network. There were no chokes present, so the limit would 
appear to be the 3640, given it was running near flat out. 

--------------------------

Freeswan config:
/etc/ipsec-auto

auto    ipsec-router-test
        type=tunnel
        left=x.x.x.x
# x.x.x.x = linux box public ip address
        right=y.y.y.y
# y.y.y.y = router public ip address
        rightsubnet=192.168.2.0/24
# private network behind the router - host to which throughput testing was done is here.
        keyexchange=ike
        encrypt=yes
        authenticate=no
        pfs=no
        lifetime=8h

----------------------------

Cisco Router config:

crypto isakmp policy 1
 encr 3des
 hash md5 
 authentication pre-share
crypto isakmp key SECRET-VALUE address x.x.x.x 
crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac 
crypto map TEST 1 ipsec-isakmp  
 set peer x.x.x.x
 set transform-set 3DES-MD5 
 match address 101
access-list 101 permit ip 192.168.2.0 0.0.0.255 host x.x.x.x
interface 
crypto map TEST
</PRE>
<P> A <A href="http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120t/120t2/3desips.htm">
page</A> on Cisco's site gave this list (early Jan 2000, before new US 
export  regulations went into effect):</P>
<PRE>
| Triple DES Encryption for IPSec
|
| ...
|
| This feature is supported only on the following platforms:
|
|     1720
|     2600 Series
|     3600 Series
|     4000 Series
|     4500 Series
|     AS5300 Series
|     7200 Series
|     7500 Series
</PRE>
 A message from another user about using RSA keys with Cisco: 
<PRE>
From: jrussi@uol.com.br
Subject: Re:Re: Re:Re: [Users] RSA public key and Cisco (3640)
Date: Sat, 2 Jun 2001

We use Cisco IOS 12.1.5(T) and freeswan 1.8

Here an example on how I copied the key from cisco:

Key Data:
  117C311E 16192D86 8886C71D 11111115 11138B11 31881241 11C7E23B D6DB22 
  18DEC1BD....

Will become

0x117C311E16192D868886C71D1111111511138B113188124111C7E23BD6DB2218DEC1BD...  

We used at least 1024 bits long keys.

But it doesn&acute;t matter. The problem is that cisco doesn&acute;t agree with the RSA schema from freeswan, I think. In Cisco, rsasig is to use with a CA, and rsaencript did not work as well. 

My case is worse than it. My first intention was to use freeswan in a road warrior config. I really need to use CA, as Cisco needs a fix address to use rsa public key. The public key to cisco is always associated to an IP address ou FQDN. I quit. Will try the X509 patch and the Open CA software.

Deyvi
&gt;&gt;(off list)
&gt;
&gt;Yes, I was just going to mention that the Cisco's key should be in
&gt;ipsec.conf (just received your correction).
&gt;
&gt;I think that I have the Cisco side configured correctly ( I can't be sure
&gt;because I can't test against the Freeswan).
&gt;
&gt;Starting from having the IPsec tunnel working with pre-share, I did the
&gt;following on the Cisco side:
&gt;
&gt;#config t
&gt;(config)# crypto key pubkey-chain rsa
&gt;(config-pubkey-chain)# addressed-key 
<!--ipaddress of freeswan-->

&gt;(config-pubkey-key)# key-string
&gt;(config-pubkey-key)# 
<!--paste freeswan key here-->

&gt;(config-pubkey-key)#quit
&gt;(config-pubkey-chain)#exit
&gt;
&gt;# config t
&gt;(config)# crypto isakmp policy 1
&gt;(config-isakmp)# no authentication pre-share
&gt;(config-isakmp)# authentication rsa-sig
&gt;(config-isakmp)# exit
&gt;
&gt;How long is your RSA key that was generated on the Cisco? I tried copying
&gt;the key out of the 3640 and pasting it into ipsec.conf, removing the spaces
&gt;and adding a '0x' in the front. I get the 'key too small' error still. What
&gt;version of freeswan are you using?
&gt;
&gt;I'm using Freeswan 1.9 w/ IOS 12.1(6).
&gt;
&gt;
&gt;----- Original Message -----
&gt;From: 
<!--jrussi@uol.com.br-->

&gt;To: &quot;James Rowe&quot; 
<!--jrowe@cisco.com-->
; 
<!--jrussi@uol.com.br-->

&gt;Cc: 
<!--users@lists.freeswan.org-->

&gt;Sent: Thursday, May 31, 2001 5:15 PM
&gt;Subject: Re:Re: [Users] RSA public key and Cisco (3640)
&gt;
&gt;
&gt;&gt; We had no problems with the key. Just be sure to remove the blank spaces
&gt;from the key (general key) that cisco generates.
&gt;&gt;
&gt;&gt; Just remove the blank, put all together as a long line (all the lines to a
&gt;single line) and add a &quot;0x&quot; at the key that Cisco give to you, and paste to
&gt;ipsec.secrets.
&gt;&gt;
&gt;&gt; The public key from FreeSwan, you just remove the &quot;0x&quot; and paste to the
&gt;command line at cisco. They will not complain about the keys.
&gt;&gt;
&gt;&gt; But my problem is with the proposal configured at Cisco. What to you think
&gt;to use? I tried &quot;authentication rsasig&quot; and &quot;rsaencrip&quot; with no results.
&gt;Cisco always sends me an &quot;No proposal choosen&quot; error message.
&gt;&gt;
&gt;&gt; I road an old message from someone called Brian here at this list, where
&gt;he says that FreeSwan will not accept authentication rsaencript from Cisco.
&gt;But rsasig is to use with a CA certification. So my question is: is it
&gt;possible to use Cisco with public RSA keying, without a CA? The thread ended
&gt;without an answer to it.
&gt;&gt;
&gt;&gt; Deyvi
&gt;&gt; &gt;&gt;Hello,
&gt;&gt; &gt;
&gt;&gt; &gt;I am working on the same issue. I have pre-shared working, but would like
&gt;to
&gt;&gt; &gt;use RSA public keys. It seems that the Cisco key is too short. When
&gt;starting
&gt;&gt; &gt;IPsec in init.d, it says that the Cisco key is not secure because it is
&gt;less
&gt;&gt; &gt;than 512 bits, even tough the key is really over 768 bits. Claudia thinks
&gt;&gt; &gt;this is a parsing problem and suggested to take a look at the source
&gt;code.
&gt;&gt; &gt;
&gt;&gt; &gt;Some pointers that I have found while working on this:
&gt;&gt; &gt;
&gt;&gt; &gt;You must add a '0x' to the front of the Cisco key when entering it into
&gt;&gt; &gt;Freeswan, and remove the '0x' when entering the freeswan key into the
&gt;Cisco
&gt;&gt; &gt;3640.
&gt;&gt; &gt;
&gt;&gt; &gt;The case of the hexadecimal letters in the key does not matter. Thinking
&gt;&gt; &gt;that freeswan stopped reading the key when it encountered the first
&gt;&gt; &gt;uppercase letter in the Cisco key (freeswan keys are lowercase, Cisco's
&gt;are
&gt;&gt; &gt;uppercase), I changed everything to lowercase. Didn't help.
&gt;&gt; &gt;
&gt;&gt; &gt;I'll let you know if I make any progess on this. I'd appreciate if you
&gt;would
&gt;&gt; &gt;let me know if you get this working. Thanks.
&gt;&gt; &gt;
&gt;&gt; &gt;-- Jim Rowe
&gt;&gt; &gt;
&gt;&gt; &gt;----- Original Message -----
&gt;&gt; &gt;From: 
<!--jrussi@uol.com.br-->

&gt;&gt; &gt;To: 
<!--users@lists.freeswan.org-->

&gt;&gt; &gt;Sent: Thursday, May 31, 2001 2:52 PM
&gt;&gt; &gt;Subject: [Users] RSA public key and Cisco (3640)
&gt;&gt; &gt;
&gt;&gt; &gt;
&gt;&gt; &gt;&gt; Does anyone have a sucessful Cisco config file to use in a
&gt;freswan-cisco
&gt;&gt; &gt;conection using RSA public key?
&gt;&gt; &gt;&gt;
&gt;&gt; &gt;&gt; We were able to setup a pre-shared conection, but would like to try
&gt;public
&gt;&gt; &gt;keying.
</PRE>
<H3><A name="bay">Nortel (Bay Networks) Contivity switch</A></H3>
 There is one known issue in FreeS/WAN-to-Contivity interoperation. 
Recent versions of FreeS/WAN no longer support DH group 1 for key 
exchange. Older versions of Contivity software support nothing else. 
Group 2 was added in more recent releases. So: 
<UL>
<LI>older FreeS/WANs, such as 1.5, will work with any Contivity 
software. Key exchange will be done using DH Group 1. This may not be 
secure. </LI>
<LI>current FreeS/WANs will work only with recent Contivity releases 
supporting DH Group 2. Contivity 3.5 is one such release. </LI>
</UL>
 We recommend using the latest Contivity release. 
<P> Some messages from the mailing list: </P>
<PRE>
Subject: Contivity Extranet Switch
   Date: Fri, 11 Jun 1999
   From: Matthias David Siebler &lt;msiebler@nortelnetworks.com&gt;
Reply-To: msiebler@alum.mit.edu
Organization: Nortel Networks

More interoperability results:

I successfully established a tunnel with a Nortel (formerly Bay (formerly New Oak)) Contivity
Extranet Switch running the latest release versions.

The CES is running V2.50 of the software and the Linux server is running V1.0.0 of the Free/SWAN
code on a RedHat 5.2 unit with the kernel upgraded to 2.0.36-3

I am using IKE with 3DES-HMAC-MD5

Note however, that tunnels cannot yet be configured as client tunnels since Free/SWAN does not yet
support aggressive mode.  Hopefully, that will arrive soon, which would allow remote users to
connect to a CES using the Free/SWAN code as clients.
</PRE>
<P> and apparently Nortel want their product to work with FreeS/WAN:</P>
<PRE>Subject: Is FreeSwan 3.1 a legitamate ipsec implementation when compared to its commercial competitors?
   Date: Tue, 02 May 2000
   From: Bill Stewart &lt;bill.stewart@pobox.com&gt;

Nortel's Contivity IPSEC server has a formal policy of interoperability
with FreeS/WAN.   I was quite pleased to hear it when they last talked to us,
and it makes sense in their business environment, since they let you use
their WinXX client software free, so this gives them support for Linux
clients.
</PRE>
<P> A more recent mailing list report is: </P>
<PRE>
Subject: Nortel Contivity and Free-S/WAN
   Date: Wed, 7 Mar 2001
   From:  &quot;JJ Streicher-Bremer&quot; &lt;jj@digisle.net&gt;

OK, here is a very brief nuts and bolts breakdown on how to get this
combo working.  I want to thank everyone at Free-S/WAN and everyone on
the list for your help in getting this to work.

Connecting FreeS/WAN to the Nortel Networks Contivity Extranet Switch:

What you need:
FreeS/WAN v1.5 and Contivity ver 2.5 - 3.5 (might work with earlier
versions, but I have not tested it with this config)
or
FreeS/WAN v1.8 and COntivity ver 3.5 (the 3.5 version supports Diffe
Hilman group 2 key exchange)

What to do:
1 - Configure the Contivity:
   Set up a branch office tunnel group with the following settings:
        
        Connectivity:
        Nailed Up: Disabled
        Access Hours: Anytime
        Call Admission Priority: Highest Priority
        Forwarding Priority: Low Priority
        Idle Timeout: 00:00:00
        Forced Logoff: 00:00:00
        RSVP: Disabled
        RSVP: Token Bucket Depth: 3000 Bytes
        RSVP: Token Bucket Rate: 28 Kbps
        Branch Office Bandwidth Policy: 
        - Committed Rate: 56 Kbps
        - Excess Rate: 128 Kbps
        - Excess Action: Mark

        Encryption: 
        - ESP - Triple DES with SHA1 Integrity: Enabled
        - ESP - Triple DES with MD5 Integrity: Enabled
        - ESP - 56-bit DES with SHA1 Integrity: Disabled
        - ESP - 56-bit DES with MD5 Integrity: Disabled
        *IKE Encryption and Diffie-Hellman Group: Triple DES with Group
2 (1024-bit prime)
        Vendor ID: Disabled
        Perfect Forward Secrecy: Enabled
        Compression: Disabled
        Rekey Timeout: 08:00:00
        Rekey Data Count:  (None) 
        *ISAKMP Retransmission Interval: 16
        *ISAKMP Retransmission Max Attempts: 4

        Set up a branch office tunnel inside this new group with the
following settings:
        
        Endpoint Addresses
        Local - Public address of your COntivity
        Remote - Your Free-S/WAN interface Address
                Tunnel Type - IPSEC
        IPSEC Authentication - Text Pre-Shared Key
                One note here, I have had some trouble trying to use HEX
or Non alphanumeric chars in this key.
        
        Under IP:
        Static Routing
        Local - networks you want to be able to access through the
tunnel
        Remote - networks that will be allowed through the tunnel
        NAT - None

   Get routing setup on your office network:
        You will need to get a routing entry that will point all traffic
bound for your home network (the one that will be acciessible through
the tunnel) to the internal interface of the contivity system.

   Configure Free-S/WAN:
        Install, compile, and test Free-S/WAN
        Edit ipsec.conf for your new tunnel:
--------------------------------------------------------        
ipsec.conf --
config setup
        interfaces=&quot;ipsec0=eth1&quot;
        forwardcontrol=no
        klipsdebug=none
        plutodebug=none
        manualstart=
        plutoload=%search
        plutostart=%search
        plutowait=no
conn net1
        type=tunnel
        auto=start
        auth=esp
        authby=secret
        keyexchange=ike
        keylife=1h
        keyingtries=1
        pfs=yes
        left=10.0.0.2
        leftnexthop=10.0.0.1
        leftsubnet=10.0.1.0/24
        right=172.16.0.2
        rightsubnet=172.16.1.0/24
conn net2
        type=tunnel
        auto=start
        auth=esp
        authby=secret
        keyexchange=ike
        keylife=1h
        keyingtries=1
        pfs=yes
        left=10.0.0.2
        leftnexthop=10.0.0.1
        leftsubnet=10.0.1.0/24
        right=172.16.0.2
        rightsubnet=172.16.2.0/24

ipsec.secrets --
10.0.0.2 172.16.0.2 &quot;Your big secret&quot;
---------------------------------------------

The above config is for this imaginary network:

         +------+
10.0.1.1 |      |10.0.0.2   10.0.0.1++ Internet  
---------|      |-------------------++===========
         +------+            Home Router         
         Free-S/WAN host


Internet ++    172.16.0.2####         172.16.1.0/24 These
=========++--------------####---------172.16.2.0/24 are here somewhere
   Office Router       Contivity
   
   
   This has worked for me.  I am still having trouble with the tunnels
dying after about 30-40 minutes of non-use.  Don't know what that is
about, but I'll keep you posted.
</PRE>
<H3><A name="Raptor">Raptor Firewall</A></H3>
<H4><A name="raptorNT">Raptor 5 on NT (old info)</A></H4>
<PRE>
   Subject: Interoperability with Raptor 5 (Success!)
   Date: Wed, 06 Jan 1999 16:19:27 -0500
   From: Chuck Bushong &lt;chuckb@chandler-group.com&gt;

I don't know if this is useful information for anyone, but I have
successfully established a VPN between RedHat 5.1 (kernel 2.0.34) running
FreeS/WAN 0.91 and NT4 running Raptor 5.  However, Pluto does not appear
compatible with the Raptor IKE implementation. . . .

Subject: RE: linux-ipsec: Interoperability with Raptor 5 (Success!)
Date: Thu, 28 Jan 1999 17:22:55 -0500
From: Chuck Bushong &lt;chuckb@chandler-group.com&gt; 

... this VPN (at least the klips end) has been up under minimal
utilization for three weeks plus without interruption.  The
machine seems very stable.  Pat yourself on the back, gentlemen.
Your beta release is more stable than certain companies' shipping
product.

Keep up the good work.
</PRE>
<H4><A name="raptorsun">Raptor 6 on Solaris</A></H4>
<PRE>
Subject: Re: successful interop. with Raptor 6.02 
   From: &quot;Charles G. Griebel&quot; &lt;cggrieb@biw.com&gt; 
   Date: Tue, 25 Jul 2000

On Thu, Jul 20, 2000 at 12:04:40PM -0700, Kevin Traas wrote:
&gt; Great!  I'm just about to start looking into this as well, so any
&gt; docs/info you can provide would be *greatly* appreciated.  Immortalize
&gt; yourself!  Get something written and added to the compatibility.html
&gt; file.  Many will thank you.

Can't be that hard.  I'm just a freeswan newbie who hasn't even done a FS
<!----->
FS
tunnel yet :)

Anyway, I hope you find this helpful.

Chock

-------------------------------------------------------------------------------

Automatically keyed 3DES VPN between Raptor 6.02 on Solaris 2.6 (left) and
   FreeS/WAN 1.5 on 2.2.16 Intel (right)

FreeS/WAN (right) information:
-----------------------------

ipsec.conf
----------
config setup
        interfaces=&quot;ipsec0=ppp0&quot;    # change to suite
        klipsdebug=
        plutodebug=
        plutoload=sample
        plutostart=sample

conn sample
        left=10.0.0.1
        leftnexthop=10.0.0.2
        leftsubnet=192.168.0.0/24
        right=10.1.1.1
        rightnexthop=10.1.1.1
        rightsubnet=172.16.1.0/24
        auto=add
        keyexchange=ike
        pfs=no
        lifetime=8h
        esp=3des-md5-96

ipsec.secrets
-------------
# note I haven't verified that underscores will actually work
10.0.0.1 10.1.1.1: PSK &quot;some_long_secret_with_plenty_of_chars&quot;

Raptor 6.02 (left) information:
------------------------------
Key Profiles:
    Name: left-external-kp-dynamic
    Type: Dynamic
    Profile Describing: local entity
    Gateway: 10.1.1.1
    Identification Type: Address
    Identification: 10.1.1.1
    ISAKMP Hash Method: MD5
    ISAKMP Authentication: Shared_Key
    Shared Secret: some_long_secret_with_plenty_of_chars
    Time Expiration: 1080

    Name: right-external-kp-dynamic
    Type: Dynamic
    Profile Describing: remote entity
    Gateway: 10.0.0.1
    Identification Type: Address
    Identification: 10.0.0.1

Secure Subnets:
    Name: left-ss-dynamic
    Address: 192.168.0.0
    Netmask: 255.255.255.0
    Key Profile: left-ss-dynamic

    Name: right-ss-dynamic
    Address: 172.16.1.0
    Netmask: 255.255.255.0
    Key Profile: right-ss-dynamic

Secure Tunnel:
    Name: left-to-right-tunnel
    Entity A: right-ss-dynamic
    Entity B: left-ss-dynamic
    Encapsulation: ISAKMP
    Filter: [none]
    Pass traffic through proxies: [unchecked]
    Use Authentication Header: [unchecked]
    Use Encryption Header: [checked]
    Data Integrity Algorithm: MD5
    Data Privacy Algorithm: 3DES

    [Advanced settings]
    Data volume timeout: 2100000
    Lifetime timeout: 480
    Inactivity timeout: 0
    Transport mode: [unchecked]
    Perfect forward secrecy: [unchecked]
    Proxy: [checked]

----
Notes: 
I made the addresses fictitious RFC1918 addresses.
I haven't tried PFS.
I had problems getting an SA with manual keying -- I think it may be with the
 SPI's.
</PRE>
<H4><A name="raptorman">Raptor manual keying</A></H4>
 A mailing list suggestion from FreeS/WAN technical lead Henry Spencer: 
<PRE>
&gt; In the Raptor settings, there are 2 sets of data (1 for each end). Each set
&gt; contains an SPI, 3 DES Keys and 1 MD5 hash. I only know how to include one
&gt; set, how do I include the other set? Is the other set needed?

They may be using different keys for each direction, which is a bit
unusual for manual keying, but not impossible.  The simplest thing is
probably to just give it two identical sets of data -- that should work.
FreeS/WAN has provisions for asymmetric keys etc. in manual keying, but
that stuff is lightly documented and lightly tested.
</PRE>
<H3><A name="gauntlet">Gauntlet firewall GVPN</A></H3>
<PRE>
Subject:  Successful interop: FreeS/WAN 1.7 
<!----->
 Gauntlet Firewall GVPN 5.5
   Date: Tue, 21 Nov 2000

Sending the following to the list, at Hugh's request.

-----Original Message-----
From: Reiner, Richard 
Sent: Tuesday, November 21, 2000 11:34 AM
To: 'hugh@mimosa.com'

Hugh,

&gt; Good.  But we don't think that you should be using our IPCOMP just
&gt; yet.  It is flaky :-(

I've seen no anomalies, although &quot;allow ipcomp&quot; is on at the Gauntlet 
end.  Looking at my ipsec.conf I actually find no refereence to ipcomp. 
 I presume it is disabled by default.  In addition, reviewing my logs 
both on the Gauntlet end and the Linux end, I see nothing I can 
interpret as an indication that ipcomp was enabled during negotiation.  
So I have to correct my previous posting - I believe the link is *not* 
using ipcomp.

&gt; This is interesting and we'd love a more complete writeup.  It should
&gt; get incorporated into our interop documentation.

Here are the relevant bits from ipsec.conf:

config setup
        interfaces=%defaultroute
        klipsdebug=none
        plutodebug=none
        plutoload=%search
        plutostart=%search
        uniqueids=yes

conn freeswan17-gauntlet55
        auto=start
        type=tunnel
        left=1.1.1.1
        leftnexthop=1.1.1.2
        leftsubnet=10.0.1.0/24
        right=3.3.3.3
        rightnexthop=3.3.3.4
        rightsubnet=10.0.2.0/24
        authby=secret
        keyexchange=ike
        ikelifetime=480m
        auth=esp
        esp=3des-md5-96
        keylife=480m
        keyingtries=8
        pfs=no
        rekeymargin=9m
        rekeyfuzz=25%

All settings on the Gauntlet side are the same (not shown here, as GUI 
screenshots are hard to show in ASCII... and the textual format that is 
generated by the Gauntlet GUI is ugly in the extreme).

Note that ikelifetime is 1440m by default on the Gauntlet end, but 
freeswan does not support this value (max appears to be 480m), thus the 
Gauntlet end is also set to 480m to match freeswan's value.

Also worth noting: I am using the excellent Seawall scripts to manage 
ipchains configuration on the freeswan end.  It automatically generates 
a correct set of firewall rules for the link (along with doing many 
other convenient things).
</PRE>
 For more information on Seawall (the Seattle Firewall), see that 
project's <A href="http://seawall.sourceforge.net/">home page</A> on 
Sourceforge. 
<H3><A name="checkpoint">Checkpoint Firewall-1</A></H3>
<P> A PDF <A href="http://support.checkpoint.com/kb/docs/public/firewall1/4_1/pdf/fw-linuxvpn.pdf">
HowTo</A> for connecting FreeS/WAN and this product can be downloaded 
from the  vendor's site or browsed at a VPN mailing list <A href="http://kubarb.phsx.ukans.edu/~tbird/vpn.html">
site</A>.</P>
<P> The mailing list reports success with this combination, but also 
some problems. Search the <A href="#archive">archives</A> for the full 
story. </P>
<P> Here is one message, about what seems to be the biggest problem: </P>
<PRE>
Subject: Re: Pb establishing connection from FW1/3DES/SP2 with freeswan 1.5 - ACTE 2
   Date: Tue, 6 Feb 2001
   From: Claudia Schmeing &lt;claudia@freeswan.org&gt;
 
&gt; Thanx to Michael and Claudia, but this doesn't work from VPN1 to linux (as
&gt; linux to VPN1 is OK).
...

&gt; I think that VPN1 doesn't send &quot;192.168.1.0/24&quot; but &quot;192.168.1.20/32&quot; and,
&gt; as Claudia said, IPSEC SA need to match Exactly. 

I don't know about the rules on the VPN-1. You'll have to rely on people 
with applicable experience there...

&gt; Is it possible that freeswan doesn't do the inclusion process (ie if he
&gt; receive 192.168.1.20/32, i doesn't match that this is include in
&gt; 192.168.1.0/24) ?

Yes, that's correct. It needs to match exactly, and inclusion is not
part of this process.
 
&gt; Btw why VPN/1 send 192.168.1.20/32 and not 192.168.1.20/24 (the value that
&gt; Freeswan is waiting for)? A bug?

I think Michael may be able to help you with this.

&gt; Have i a way to force Freeswan to do the &quot;inclusion&quot; (ie accept 
&gt; 192.168.1.20/32 as a part of 192.160.1.20/24, even if the 2 IPSEC Sa 
&gt; doesn't match exactly) ?

No, but...
Another strategy is to accept the fact that the Checkpoint 
proposes separate connections for each machine. If you define 
and add each of these connections on the Linux FreeS/WAN side, then 
Linux FreeS/WAN ought to accept the Checkpoint's proposals.

The only possible difficulty with this strategy is that I don't know 
how Linux FreeS/WAN handles the concept of overlapping tunnels. I
believe, though, that these tunnels can coexist, and if for any 
packet there are two options, a more general and a less general, the
packet will be handled by the more specific tunnel. You would need
to do a little testing to ensure you understand the behaviour and
that this does actually solve your problem.

I think it would be simplest to try to get the Checkpoint to propose the 
more general tunnel. Since I don't recall having seen this problem before, 
I suspect the simpler solution is doable.
</PRE>
<H3><A name="redcreek">Redcreek Ravlin</A></H3>
 We have reports of successful interoperation at an interop <A href="http://www.opus1.com/vpn/atl99display.html">
conference</A>, but there is also a mailing list <A href="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/11/msg00510.html">
 thread</A> discussing difficulties some users have encountered. 
<H3><A name="sentinel">SSH Sentinel</A></H3>
 The vendor's <A href="http://www.ipsec.com/products/sentinel/documents.html">
 web site</A> has configuration examples for use with FreeS/WAN. 
<P> The vendor seems serious about interop with us. Here is a message 
one of their staff posted on our list: </P>
<PRE>
From: Jussi Torhonen &lt;jt@ssh.com&gt;
Organization: SSH Communications Security Corp - http://www.ssh.com
Subject: [Users] SSH Sentinel VPN client public beta #3 now available
Date: Thu, 31 May 2001

Hello, FreeS/WAN community !

SSH Communications Security Corp has released a new public beta #3
version of SSH Sentinel VPN client for Windows. We've got a lot of
reports also from FreeS/WAN community and with that feedback we've
improved interoperability and stability. 

For example PFS (Perfect Forward Secrecy in IKE rekey) can now be used
between SSH Sentinel and FreeSWAN, and if using that user contributed
X.509 patch and exporting the certificate from SSH Sentinel, now those
-----[BEGIN|END] CERTIFICATE----- headers/footers are properly included
in the exported PEM formatted certificate, so it can be imported to
FreeSWAN with fswcert utility and OpenSSL tools. 

Thank you a lot for your feedback, colleagues !

You can get that new public beta #3 and PDF formatted User Manual from
ftp://ftp.ssh.com/pub/sentinel/ or via website
http://www.ipsec.com/products/sentinel/beta/register.html

For more information about the product, please check our website
http://www.ipsec.com

We eagerly want to make SSH Sentinel as the best VPN client on the
market. If you want to contact our support, please send e-mail to
sentinel-support@ssh.com or fill up our feedback form at
http://www.ipsec.com/support/sentinel/beta_report.html

Best regards,
Jussi Torhonen, SSH Sentinel Team
Kuopio, Finland
</PRE>
<H3><A name="Fsecure">F-Secure VPN for Windows</A></H3>
<PRE>   Subject: linux-ipsec: Identification through other than IP number
   Date: Tue, 13 Apr 1999
   From: Thomas Bellman &lt;bellman@signum.se&gt;

... Currently we are trying to interop FreeS/WAN
with F-Secure VPN+ Client 4.0 (for MS Windows), and as long as
the Windows machine has a fix IP address, and are initiating the
IKE negotiations, things are working well.  However, when the IP
address is changing, it doesn't work. ...
(I'll try to write something up about the problems we are having
when Pluto is initiatior in another message.)
</PRE>
<H3><A name="watchguard">Watchguard</A></H3>
<P> Watchguard make a Linux-based firewall product. Ipchains author 
Rusty Russell thanks them for support and recommends them in one of his <A
href="http://www.linuxdoc.org/HOWTO/IPCHAINS-HOWTO-3.html#ss3.2">HowTos</A>
. On the other hand, some comments on our mailing list about the 
Watchguard product have been quite unfavourable. See, for example, this <A
href="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/08/msg00474.html">
archive message</A>. </P>
<P> Watchguard do not use FreeS/WAN in their product. They have their 
own IPSEC implementation. </P>
<P> We have had mailing list reports of successful interoperation 
between FreeS/WAN and the Watchguard firewall, using manually keyed 
connections. The user could not get automatically keyed connections to 
work; the message below explains this. </P>
<P> Here is some mail from a Watchguard employee about interoperation: </P>
<PRE>
Subject: FreeS/WAN and WatchGuard Firebox interop
   Date: Mon, 18 Dec 2000
   From: Max Enders &lt;menders@watchguard.com&gt;

I was recently given the task of testing IPSec interoperability
with our product, the Firebox. I just wanted to let you know that
I had success with a manual keyed tunnel. Here's what I used for
my test:

RedHat Linux 6.2
Linux 2.2.18 i686 unknown
Linux FreeS/WAN 1.8
&quot;Trusted&quot; interface: 192.168.0.1/24
&quot;External&quot; interface: 192.168.1.1/24

Firebox II FastVPN
WatchGuard Live Security System v4.5
Trusted interface: 192.168.2.1/24
External interface: 192.168.1.2/24

Because FreeS/WAN does not implement single DES, a dynamic keyed
tunnel will not work. Our product strictly uses DES for main mode.
We hope to address this in a future release. Here are instructions
for configuring the Firebox:

Open the Policy Manager and create a new IPSec gateway. Set the Key
Negotiation Type to manual and enter the FreeS/WAN box's external
IP address for the Remote Gateway IP. Configure a new tunnel with
a unique SPI. Select 3DES-CBC for Encryption and MD5-HMAC for
Authentication. Make an Encryption Key and Authentication Key.
Copy the values and save them for configuration of the FreeS/WAN box.
Configure a routing policy and any necessary services as you normally
would.

Here's how I configured FreeS/WAN:

Modifications to /etc/ipsec.conf:

Under the &quot;config setup&quot; section, add:

manualstart=firebox

At the end of the file, add the following connection:

conn firebox
left=192.168.1.1
leftsubnet=192.168.0.0/24
right=192.168.1.2
rightsubnet=192.168.2.0/24
spi=0x101
esp=3des-md5-96
espenckey=0x515b0875793e3708517c3d4554012f7c0273375e51572a31
espauthkey=0x072649041c2c0d452f7c15407576522f

The spi used here should match the Firebox's. Note that the Policy Manager
expects an SPI in decimal, not hexadecimal. The espenckey value should be
0x and the Encryption Key you're using on the Firebox. Likewise for
espauthkey and the Authentication Key on the Firebox.
</PRE>
 A user comments: 
<PRE>
Subject: RE: Freeswan
   Date: Wed, 7 Feb 2001
   From: &quot;Patrick Poncet&quot; &lt;pponcet@vaxxine.com&gt;

It's working!!!

Voila...  I wish to thank all the FreeS/WAN for putting out such a great
product out!  And also Philippe PAULEAU who pioneered interoperability
between FreeS/WAN and Watchguard Firebox II and therefore showed me that my
efforts would not be wasted!...

Yes indeed FreeS/WAN to WatchGuard Firebox only works in manual keying mode
and the best way to generate keys is to have the firebox generate the keys,
then copy and paste into the ipsec.conf file on the FreeS/WAN side (don't
forget to prefix the keys with '0x' in your ipsec.conf file.

Also keep in mind that the SPI is in decimal on the Firebox side and HEX on
the FreeS/WAN side!!!  We spent 4 hours on fixing this HEX-DEC issue only :)
</PRE>
<H3><A name="Xedia">Xedia Access Point/QVPN</A></H3>
<PRE>   Subject: linux-ipsec: Interoperability result
   Date: Mon, 15 Mar 1999 18:08:12 -0500
  From: Paul Koning &lt;pkoning@xedia.com&gt;

Here's another datapoint for the &quot;FreeS/WAN interoperability
database&quot;.

I tested 0.92 against the Xedia Access Point/QVPN product, using
dynamic keying (i.e., Pluto at work).

Results: it works fine so long as you ask for 3DES.  DES and no-crypto 
modes don't work when Pluto is involved.

I did limited data testing, which seemed to be fine.  No performance
numbers yet, could do that if people are interested.

Any questions, please ask.

        paul
</PRE>
<H3><A name="pgpnet">PGP Mac and Windows IPSEC Client</A></H3>
<P> Since version 6.5, the <A href="#PGP">PGP</A> products from <A href="http://www.pgp.com/">
PGP Inc.</A> have included an IPSEC client program.</P>
<P> Here is the first message about it to our mailing list, from a 
senior PGP employee:</P>
<PRE>   Subject: linux-ipsec: PGPnet interoperable with FreeSWAN
   Date: Mon, 05 Apr 1999 18:06:13 -0700
   From: Will Price &lt;wprice@cyphers.net&gt;
    To:  linux-ipsec@clinet.fi

Network Associates announced PGP 6.5 today.  It includes a new product
PGPnet which is a full IKE/IPSec client implementation.  This product
is for Windows and Macintosh.  I just wanted to send a brief note to
this list that the product was compatibility tested with FreeSWAN
prior to its release, and the tests were successful!
[snip]
- -- 
Will Price, Architect/Sr. Mgr., PGP Client Products
Total Network Security Division
Network Associates, Inc.</PRE>
<P> One version is downloadable at no cost for non-commercial use. See 
our <A href="#tools">links</A>. That version does not support subnets. </P>
<P> Several of the user-written HowTos mentioned <A href="#otherpub">
above</A> cover interoperation between PGPnet and FreeS/WAN.</P>
<P> A more recent post from the same PGP Inc staff member pointed out: </P>
<PRE>
Make sure you're using PGP 7.0 or later as the key parser was improved
in that release.  (PGP 7.0.1 was just released)
</PRE>
<P> Various users have reported various successes and problems talking 
to PGPnet with FreeS/WAN. There has also been a fairly complex 
discussion of some fine points of RFC interpretation between the 
implementers of the two systems. Check an archive of our <A href="mail.html">
mailing list</A> for details.</P>
<P> A post summarising some of this, from our Pluto programmer:</P>
<PRE>
   Subject: PGPnet 6.5 and freeswan
   Date: Sun, 16 Jan 2000
   From: &quot;D. Hugh Redelmeier&quot; &lt;hugh@mimosa.com&gt;

| From: Yan Seiner
|
| OK, I'm stumped.  I am trying to configure IPSEC to support road
| warriors using PGPnet 6.5.
| 
| I've set up everything as per the man pages on the ipsec side.
| 
| I've set up everything on the PGPnet side per the docs for that package.
| 
| Pluto fails with this:
| 
| Jan 16 08:14:11 aphrodite Pluto[26401]: &quot;homeusers&quot; #8: no acceptable
| Oakley Transform
| 
| and then it terminates the connection.

As far as I can tell/remember, there are three common ways that PGPnet
and FreeS/WAN don't get along.

1. PGPnet proposes a longer lifetime for an SA than Pluto is willing
   to accept.

2. After rekeying (i.e. after building a new SA bundle because the old
   one is about to expire), FreeS/WAN immediately switches to the new
   one while PGPnet continues using the old

3. FreeS/WAN defaults to expecting Perfect Forward Secrecy and PGPnet
   does not.

Perhaps you are bumping into the first.  In any case, look back
in the log to see why Pluto rejected each transform
</PRE>
<P> Some advice from the mailing list:</P>
<PRE>
   Subject: Re: Secure Gate Fails- PGPNet &amp; FreeSwan
   Date: Wed, 28 Jun 2000
   From: Andreas Haumer &lt;andreas@xss.co.at&gt;

I have a PGPnet setup running with FreeS/WAN working as secure 
gateway. It works quite fine, except for a re-negotiation problem 
I'm currently investigating, and in fact I have it running on some
test equipment here right now!

As I tried _several_ different non-working configuration settings 
I think I know the exact _one_ which works... :-)

Here's my short &quot;HOWTO&quot;:

FreeS/WAN version: snap1000jun25b
PGPnet: PGP Personal Privacy, Version 6.5.3
Linux: 2.2.16 with some patches

Network setup:
=============

internal subnet [192.168.x.0/24]
|
|        [192.168.x.1]
secure gateway with FreeS/WAN
|        [a.b.c.x]
|
|        [a.b.c.y]
router to internet
|
|   Internet
|
|        [dynamically assigned IP address]
road-warrior with PGPnet


Configuration of FreeS/WAN:
==========================

a) /etc/ipsec.conf

config setup
        interfaces=%defaultroute
        klipsdebug=none
        plutodebug=none
        plutoload=%search
        plutostart=%search

conn %default
        keyingtries=1
        authby=secret
        left=a.b.c.x
        leftnexthop=a.b.c.y

conn gw-rw
        right=0.0.0.0
        auto=add

conn subnet-rw
        leftsubnet=192.168.x.0/24
        right=0.0.0.0
        auto=add                          


b) /etc/ipsec.secrets

a.b.c.x 0.0.0.0: &quot;my very secret secret&quot;   


Note: If you are running ipchains on your secure gateway,
you have to open the firewall for all the IPsec packets 
and also for traffic from your ipsec interface!
Don't masquerade the IPsec traffic!

Check your logfiles if the firewall is blocking some 
important packets!


Configuration of PGPnet:
=======================

(note that there is an excellent description, including
screenshots of PGPnet, on &lt;http://jixen.tripod.com/&gt;)

In short, do the following:

Launch the PGPnet configuration tool and set defaults options
=============================================================

Start - Program - PGP - PGPnet
View - Options
General Panel :
  Expert Mode
  Allow communications with unconfigured hosts
  Require valid authentication key
  Cache passphrases between logins
  IKE Duration : 6h
  IPsec : 6h
Advanced panel :
  Selected options :
    Ciphers : Tripple DES
    Hashes : MD5
    Diffie-Hellman : 1024 and 1536
    Compression : LZS and Deflate
  Make the IKE proposal :
    Shared-Key - MD5 - 3DES -1024 bits on top of the list (move up)
  Make the IPSec proposal :
    NONE - MD5-TrippleDES -NONE on top of the list (move up)
  Select Perfect Forward Secrecy = 1024 bits
Press OK


Create the connection's definition.
==================================

In the Hosts panel, ADD
  Name : Enter a name for the right gateway
  IPaddress : Enter its IP address visible to the internet (a.b.c.x)
  Select Secure Gateway
  Set shared Paraphrase : enter you preshared key
  Identity type : select IP address
  Identity : enter 0.0.0.0
  Remote Authentication : select Any valid key
Press Ok
  Select the newly created entry for the right gateway and click ADD,
YES
  Name : Enter a name for the central subnet
  IP address : Enter its network IP address (192.168.x.0)
  Select Insecure Subnet
  Subnet Mask : enter its subnetmask (255.255.255.0)
Press OK, YES, YES                             


This should be it. Note that with this configuration there is
still this re-keying problem: after 6 hours, the SA is expired
and the connection fails. You have to re-connect your connection
with PGPnet.</PRE>
<P>and a note from the team's tech support person:</P>
<PRE>Date: Thu, 29 Jun 2000
From: Claudia Schmeing 

There is a known issue with PGPNet which I don't see mentioned in the docs.
It's likely related to this one, that you note on the site:

&gt;2. After rekeying (i.e. after building a new SA bundle because the old
&gt;   one is about to expire), FreeS/WAN immediately switches to the new
&gt;   one while PGPnet continues using the old

The issue is: When taking down and subsequently recreating a connection, 
it can appear to come up, but it is unusable because PGPNet continues
to use an old SA, which Linux FreeS/WAN no longer recognizes. The solution is
to take down the old connection using PGPNet, so that it will then
use the most recently generated SA.</PRE>
<H3><A name="IRE">IRE Safenet/SoftPK</A></H3>
<P> IRE have an extensive line of IPSEC products, including firewall 
software with IPSEC, and hardware encryption devices for LAN or modem 
links. Their  Soft-PK is a Win 98 and NT client.</P>
<P> Quite a few people seem to be using this with FreeS/WAN and, 
judging by mailing list reports, to be getting good results.  Several 
documents are available: </P>
<UL>
<LI><A href="http://www.terradoncommunications.com/security/whitepapers/safe_net-to-free_swan.pdf">
 PDF HowTo</A> titled <CITE>FreeS/WAN 1.8 &lt;--&gt; IRE Safenet SoftPK 5.1.0 
Road-Warrior VPN Configuration Guide</CITE> from Terradon 
Communications. </LI>
<LI><A href="http://www.redbaronconsulting.com/freeswan/fswansafenet.pdf">
 PDF document</A> from Red Baron Consulting. </LI>
<LI><A href="http://jixen.tripod.com/#Rw-IRE-to-Fwan"> IRE-to-FreeS/WAN 
section</A> of  Jean-Francois Nadeau's configuration document </LI>
</UL>
<P>Some messages from the mailing list:</P>
<PRE>
Subject: Re: Identification through other than IP number
Date:  Fri, 23 Apr 1999
From:  Tim Miller &lt;cerebus+counterpane@haybaler.sackheads.org&gt;

Randy Dees writes:

 &gt; Anyone know of a low-cost MS-Win client that interoperates and does not
 &gt; require purchasing a server license to get it?  

        SafeNet/Soft-PK from IRE (http://www.ire.com) is a low-cost
client (though I don't have the exact cost available at the moment).
I've got it running on an NT4 workstation and it interoperates nicely
(in transport mode, will try tunnel later) with FreeS/WAN.  It's also
ICSA IPsec certified.
</PRE>
 A later report from a different user:
<PRE>
Subject: Interop.. testing. WIN32 client : Success Story
Date: Thu, 11 Nov 1999
From: Jean-Francois Nadeau &lt;jna@microflex.ca&gt;
 
You can add IRE's products in the supported, well working (and cheap)
WIN32 client. I tested it (SafeNet SoftPK 3DES) against Freeswan 1.0
and 1.1 in both tunnel and transport mode in a RoadWarrior configuration.  No bug.  
 
The software is light, non-intrusive and transparent for the user.....defenitly,
thats a good one.
 
The tunnel is establish on demand. 
 
Using shared keys....but hope to use certificates with it soon (well,
when Freeswan will ;)).
</PRE>
 A recent report with some setup details: 
<PRE>
Subject: RE: linux-ipsec: PGPnet and Freeswan one more time...
   Date: Sat, 16 Dec 2000
  From: &quot;Tim Wilson&quot; &lt;timwilson@mediaone.net&gt;

Here are some details about using the IRE SafeNet Soft/PK client with a
FreeSwan gateway.

I applied the x509 patch to Pluto according to the instructions. I use the
&quot;leftcert&quot; and &quot;rightcert&quot; keywords in the ipsec.conf file. This causes
FreeSwan to read the public keys and identities from the cert files. The
identities wanted and used by FreeSwan will then be the DNs in the certs.

I used OpenSSL to generate keys and certs and to sign certs. When generating
the gateway cert, you should *not* enter an e-mail address because it turns
out that confuses Soft/PK. Also, Andreas Steffan tells me that you want to
keep the cert short to avoid fragmentation, so use a 1024-bit RSA key and
succinct names.

The FreeSwan gateway cert goes in /etc/ipsec.d/, the gateway private key is
extracted from the key file using fswcert (part of the x509 patch) and
pasted into /etc/ipsec.secrets, and a DER version of the gateway cert goes
in /etc/x509cert.der. This is all according to the instructions that
accompany the x509 patch.

The Windows client is of course running Soft/PK in this case. I generated a
private key and cert for the client on the Linux machine using OpenSSL. I
created a pkcs12 file containing the client's private key and cert, which I
put on a floppy and imported into Soft/PK. I also imported the gateway cert
into Soft/PK (you can either import a self-signed cert for the gateway or
the self-signed cert for the CA that signed the gateway cert--either works).

Soft/PK allows you to configure practically everything for the connection.
Here are the main points to watch for:

On the first panel you have to set the peer identities. The gateway will
identify itself using the DN in the gateway cert. So of course you have to
configure Soft/PK to look for the correct DN. There's no problem with this
as long as you didn't enter an e-mail address in the gateway cert. Just
check &quot;Connect using Secure Gateway tunnel&quot;, set ID type to &quot;Distinguished
Name&quot;, and enter the correct info in the dialog box.

In &quot;My identity&quot; just select the client cert that you imported in pcks12
format. Soft/PK apparently identifies itself with the DN from the cert,
which is exactly what FreeSwan is looking for.

In &quot;Security Policy&quot;, you want Main mode and make the PFS setting agree with
whatever FreeSwan is doing (FreeSwan uses PFS by default). If you use PFS I
believe you must use DH group 2 as FreeSwan doesn't like group 1.

Phase 1 Authentication must be &quot;RSA signatures&quot; and 3DES plus either MD5 or
SHA-1 (I used MD5 but I believe FreeSwan accepts either). I left the
lifetime unspecified. Also you must select DH group 2 because I believe that
FreeSwan will not accept group 1.

Phase 2 also must use 3DES and MD5 or SHA-1. I used no compression and only
ESP and no AH, haven't tried other choices.

Hope this helps.
</PRE>
<H3><A name="borderware">Borderware</A></H3>
<H3><A name="freegate">Freegate</A></H3>
<PRE>Subject: ipsec interoperability FYI
   Date: Sun, 02 May 1999
   From: Sean Rooney &lt;sean@coldstream.ca&gt;

we've been doing some basic interoperability testing of the following; 

PGP NT VPN 6.5 and freeswan both seem to work reasonably well with 
Borderware 6.0 and freegate 1.3 beta. [as well as eachother] 

more details coming soon.</PRE>
<H3><A name="timestep">Timestep</A></H3>
<PRE>
   Subject: TimeStep Permit/Gate interop works!
   Date: Thu, 10 Jun 1999
   From: Derick Cassidy &lt;dcthebrain@geek.com&gt;

Just a quick note of success.  TimeStep Permit/Gate (2520) and
Free/Swan (June 4th snapshot) interoperate!

I have them working in AUTO mode, with IKE.  IPSec SA's are negotiated
with 3DES and MD5.

Here are the configs and a diagram for both configs.

left subnet---| Timestep | --- internet --- | Linux box |

The left subnet is defined as the red side of the timestep box.
 This network definition MUST exist in the Secure Map.

On the Linux box:

ipsec.conf

conn timestep
        type=tunnel
        left=209.yyy.xxx.6
        leftnexthop=209.yyy.xxx.1
        leftsubnet=209.yyy.xxx.128/25
        right=24.aaa.bbb.203
        rightnexthop=24.aaa.bbb.1
        rightsubnet=24.aaa.bbb.203/32
        keyexchange=ike
        keylife=8h
        keyingtries=0

In the TimeStep permit/gate Secure Map

begin static-map
        target &quot;209.yyy.xxx.128/255.255.255.128&quot;
        mode   &quot;ISAKMP-Shared&quot;
        tunnel &quot;209.yyy.xxx.6&quot;
end

In the TimeStep Security Descriptor file

begin security-descriptor
        Name    &quot;High&quot;
        IPSec   &quot;ESP 3DES MINUTES 300 or ESP 3DES HMAC MD5 MINUTES 300&quot;
        ISAKMP  &quot;IDENTITY PFS 3DES MD5 MINUTES 1440
                                or DES MD5 MINUTES 1440&quot;
end

The timestep has a shared secret for 24.aaa.bbb.203/255.255.255.255
set in the Shared Secret Authentication tab of Permit/Config.</PRE>
<H3><A name="shiva">Shiva/Intel LANrover</A></H3>
<P>A <A href="http://snowcrash.tdyc.com/freeswan/">web page</A> with 
Shiva  compatibility information.</P>
<H3><A name="solaris">Sun Solaris</A></H3>
<PRE>   Subject: Re: FreeS/WAN and Solaris
   Date: Tue, 11 Jan 2000
   From: Peter Onion &lt;Peter.Onion@btinternet.com&gt;

Slowaris 8 has a native (in kernel) IPSEC implementation.

I've not done much interop testing yet, but I seem to rememeber we got a manual
keyed connection between it and FreeSwan a few months ago.</PRE>
<H3><A name="sonicwall">Sonicwall</A></H3>
<PRE>
Subject: Re: FreeS/WAN and SonicWall
     Date: Mon, 5 Feb 2001
     From: &quot;Dilan Arumainathan&quot; &lt;dilan_a@impark.com&gt;

***************************************************
I know I HAVE TO write the mini-howto - but here is the beginning
***************************************************

Here is my Sonicwall configuration for my working connection:

conn testauto
        left=x.x.x.x
        leftnexthop=x.x.x.x
        right=y.y.y.y
        rightnexthop=y.y.y.y
        rightsubnet=10.1.20.0/24
#You need to set the Unique Firewall Identifier to the parameter that you
#use as the rightid. 
<!--------IMPORTANT
        rightid=sw@sonicwall.com
        authby=secret
        auth=esp
        esp=3des-hmac-md5
        ikelifetime=6h
        keylife=5h

Your /etc/ipsec.secrets should be like this:
x.x.x.x y.y.y.y sw@sonicwall.com : PSK "opensesame"

On the Sonicwall create a new connection:

Name: testauto
IPSec Gateway address: 0.0.0.0
SA life time: 18000
Encryption Method: Strong Encrypt and Authenticate( EPS 3DES HMAC MD5)
Shared Secret: opensesame
</pre-->


</PRE>
<H3><A name="radguard">Radguard</A></H3>
 Here are some mailing list comments from FreeS/WAN tech support person 
Claudia Schmeing on this: 
<PRE>
It certainly has been possible to interop between Radguard VPN gateways and
past Linux FreeS/WAN versions, as is evidenced by 
http://www.opus1.com/vpn/atl99display.html, as well as my own interop results
from San Diego this year. There have been no major changes since SD that 
I would foresee affecting this.

The Radguard team said that their VPN gateway will not respond to a peer 
request with PFS (Perfect Forward Secrecy) on, but it *will* successfully 
establish such a connection with Linux FreeS/WAN when Radguard is the
initiator. Since PFS is a desirable feature in terms of cryptographic
security, this asymmetry may frustrate efforts to provide a connection that 
is both as reliable as secure as possible.

While it's not clear that rekeying will present a problem, I suspect that 
some fine tuning of the key life parameters may be needed. Unfortunately 
I was unable to do additional tests on this topic.

Due to the PFS issue, when trying to maintain a connection with PFS,
you may need to set the rekeying times shorter on the radguard side,
in order to ensure that it is always the initiator.
</PRE>
<H3><A name="winclient">Windows clients</A></H3>
<P> Quite a number of client programs for IPSEC on Windows are 
available. Many of them are listed in this piece of list mail:</P>
<PRE>
 Subject: Re: Searching Windows95/98 and NT4.0 Clients for FreeS/WAN 
    From: Claudia Schmeing &lt;claudia@coldstream.ca&gt; 
    Date: Wed, 12 Jul 2000

F-Secure VPN+
-------------
for Win 95, 98 and NT 4.0
http://www.datafellows.com/products/vpnplus


Checkpoint SecureRemote VPN-1 4.1
---------------------------------
for Win 95, 98 and NT
http://www.checkpoint.com/techsupport/freedownloads.html


Raptor Firewall, Raptor MobileNT 5.0
-------------------------------------
Mobile NT is a &quot;Client&quot;* for Win 95, 98 (except SE), First Edition Windows NT 
up to Service Pack 4. It ships with DES; triple DES may be available as an 
add-on depending on your location.

Firewall is for Win NT 4.0 or Win 2000.
http://www.axent.com


IRE SafeNet SoftPK
------------------
a &quot;Client&quot; for Win 95, 98 and NT 4.0 *
http://www.ire.com


Xedia's AccessPoint QVPN &quot;Client&quot; or &quot;Builder&quot;
----------------------------------------------
&quot;Builder&quot; is for NT
&quot;Client&quot; is for Win 98 *
http://www.xedia.com

* &quot;Client&quot; in this context indicates software that does not support a subnet
behind its end of the connection.
</PRE>
<P> That mail omits the <A href="#pgpnet">PGPnet client</A> because the 
user asking the question already knew of it. The <A href="#sentinel">
SSH Sentinel</A> client, released since the above message, is another 
possibility. Both of those have members of the vendor's staff active on 
our mailing list, an excellent sign for both interoperability and 
support.</P>
<P> We also know of some Windows IPSEC clients not mentioned above: </P>
<UL>
<LI><A href="http://www.lucent.com/ins/products/ipsec/">Lucent</A></LI>
<LI><A href="http://www.ashleylaurent.com/">Ashleylaurent</A></LI>
</UL>
<P> No doubt there are others we don't know of. </P>
<H3><A name="NTdomain">NT domains vs. tunnels</A></H3>
 There has been some mailing list discussion of making NT domains work 
across FreeS/WAN tunnels. 
<P> Robert Cotran asked: </P>
<PRE>
&gt; I have a VPN setup between two subnets (192.168.1.x and 192.168.2.x).  I
&gt; would like to be able to join the NT domain on 192.168.1.x from the
&gt; 192.168.2.x subnet.  Is this possible?  Do I have to forward specific ports
&gt; to do this?  I've already set up WINS entries for all the machines, so
&gt; accessing computers by their NetBIOS names works perfectly.  Please let me
&gt; know about this domain thing.  Thanks!
</PRE>
 Dilan Arumainathan answered: 
<PRE>
All you need to do is to:

1. Enable NetBIOS over TCP.
2. Create a &quot;lmhosts&quot; file and enter the address of a BDC or a PDC like
    192.168.1.[x]  [Your PDC/BDC servername] #PRE #DOM:[Your Domain Name]
    eg. 192.168.1.1 MYOWNPDC #PRE #DOM:DENSI-NT

3. Reboot if necessary.
</PRE>
 and Sebastien Pfieffer provided a slightly different answer: 
<PRE>
For a trust relationship to work between NT domains in different
(sub)nets all domain controllers of the 1st domain have to know about
all controllers of the other domain.
Either you use the described LMHOSTS entry for every domain controller
of both domains or consider setting up WINS service(s).
</PRE>
 We suspect that in some cases it may be more complex than that. See 
the discussion of <A href="#lin2k">Linux services and Windows 2000</A>
 below and the <A href="#otherpub">Interop HowTo</A> documents listed 
above. 
<H3><A name="win2k">Windows 2000</A></H3>
<P> Windows 2000 ships with an IPSEC implementation built in. There may 
be  restrictions. We have had mailing list reports that only the server 
version  will act as a gateway, working with a subnet behind it, and 
other versions  offer only &quot;client&quot; functionality, with no subnet. We 
are unclear on  details.</P>
<P>Some versions of Windows 2000 ship with only weak encryption. You 
need to  upgrade them with the strong encryption pack, available either 
via the  Windows 2000 update service or from Microsoft's web site.</P>
<P>Windows 2000 IPSEC sometimes exhibits remarkably odd behaviour. It 
will  allow you to configure it for 3DES only, then ignore your 
settings and fall  back to single DES in some circumstances. Microsoft 
have said they will fix  this. See this <A href="http://www.wired.com/news/technology/0,1282,36336,00.html">
Wired  article</A>.</P>
<H4><A name="lin2k">Other Linux services related to Win 2000</A></H4>
<P> Windows 2000 also uses a number of other security mechanisms which 
have Linux equivalents. To integrate well with Windows 2000, you may 
need to look at several open source projects other than FreeS/WAN:</P>
<UL>
<LI>Windows 2000 builds L2TP tunnels over (some of?) its IPSEC 
 connections. There is a Linux <A href="http://www.marko.net/l2tp/">
L2TP  Daemon</A>.</LI>
<LI>Kerberos authentication is used in Windows 2000. 
<UL>
<LI><A href="http://web.mit.edu/network/kerberos-form.html">MIT 
 Kerberos site</A></LI>
<LI><A href="http://consult.stanford.edu/afsinfo/kerberos.shtml">
introductory  document</A></LI>
<LI>Kerberos <A href="http://alycia.dementia.org/kerberos.html"> links 
 page</A></LI>
</UL>
</LI>
<P> The Windows 2000 Kerberos implementation includes proprietary 
modifications. This is a security worry since it is by no means clear 
that the modified version remains  secure. It also creates 
interoperation problems. Microsoft have released documentation on their 
modifications, but only under a license that hampers attempts either to 
audit their code for security flaws or to build other implementations 
that interoperate with it.</P>
<LI><A href="http://www.samba.org/">Samba</A> is a Linux implementation 
of  the Windows SMB protocol, allowing disk sharing and other network 
 services</LI>
<LI><A href="http://tipxd.sourceforge.net/">tipxd</A>, the Tunelling 
IPX Daemon,  encapsulates IPX for transport over IP. </LI>
</UL>
 Here is a mailing list message, from FreeS/WAN team tech support 
person Claudia Schmeing, discussing Windows 2000 and L2TP: 
<PRE>
You write,

&gt; I want some information about IPsec with L2TP.
&gt; I'm going to build the IPsec tunnel on the L2TP tunnel.
&gt; Is it strange?
&gt; Is there any case like this already implemented?

It's used, but rarely. In many cases, IPSec alone is sufficient. 

In this thread, Timo Teras reports that he configured the L2TP/IPSec 
hybrid with Win2k. He gives some pointers.
http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/11/msg00545.html

See also John P. Eisenmenger's report on his own experiences at:
http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2001/02/msg00195.html
</PRE>
<H4><A name="interop.win2k">FreeS/WAN-to-Win2000 interop</A></H4>
<P> As for IPSEC interoperation between Windows 2000 and FreeS/WAN, 
there are several web sites listed under <A href="#otherpub">Interop 
HowTo</A> documents above.</P>
<P>Here is a discussion from the mailing list:</P>
<PRE>From: &quot;Jean-Francois Nadeau&quot; &lt;jna@microflex.ca&gt;
Subject: Win2000 IPsec  interop. in tunnel mode
Date: Tue, 29 Feb 2000

This was a pain.... but it worked. ;)
 
Win2000 Server against Freeswan 1.1 in tunnel mode is a success.
 
My Setup
 
Freeswan :
Kernel 2.2.12 running Freeswan 1.1
Using 3DES-MD5 and PreShared Keys.
 
Win2000
M$ Win2000 Advanced server patched for 3DES
 
 
Here's the setup for the Win2000 Server.
 
Open an MMC with the IPsec Security policy editor snap-in.
Create a new IP Security Policy.
Create 2 IP SECURITY RULES. One for inbound traffic and one for outbound trafic (see below)
Create 2 IP FILTERS. One for inbound traffic and one for outbound trafic (see below)
Assign the inbound IP SECURITY RULE to the inbound IP FILTERS, same for outbound.
Select both IP SECURITY RULES.
Select your IP Security Policy, right click and ASSIGN.
 
 
We need an example to clarify that !@#! logic :
 
In freeswan : 
 
Conn Interop_Testing
Left=1.2.3.4
Leftsubnet=10.0.0.0/8
Right=9.8.7.6
Rightsubnet=192.168.0.0/24
 
 
In Win2000
 
IP Security Policy : Interop_Testing
 
**********
1st IP Security rule : Left_to_Right
        IP Filter  List : Left_to_Right
                Source Address = 1.2.3.4
                Destination Address = A specific Subnet = 192.168.0.0 255.255.255.0
        Filter Action : Request Security
        Connections type : All connections
        Tunnel Settings : Endpoint = 9.8.7.6
        Authentication Method = PreSharedKey=yourkey
***********    
        
**********
2nd IP Security rule : Right_to_Left
        IP Filter  List : Right_to_Left
                Source Address = 9.8.7.6
                Destination Address = A specific Subnet = 10.0.0.0 255.0.0.0
        Filter Action : Request Security
        Connections type : All connections
        Tunnel Settings : Endpoint = 1.2.3.4
        Authentication Method = PreSharedKey=yourkey
***********    
 
 
HINTS :
 
Do not use mirroring in your IP filters.
Move your main proposal to the top (in my case 3DES-MD5)
Enable PFS.
 
It worked... but a RoadWarrior configuration doesnt seems to be
possible here (must specify both Endpoints and 0.0.0.0 is not acceptable).
 
 
Jean-Francois Nadeau
Microlfex.
</PRE>
<P> The RoadWarrior problem has since been solved. RSA authentication 
has been added to FreeS/WAN since the above message was posted. </P>
<HR>
<H1><A name="politics">History and politics of cryptography</A></H1>
<P> Cryptography has a long and interesting history, and has been the 
subject of considerable political controversy. </P>
<H2><A name="intro.politics">Introduction</A></H2>
<H3><A NAME="11_1_1">History</A></H3>
<P> The classic book on the history of cryptography is David Kahn's <A href="#Kahn">
The Codebreakers</A>. It traces codes and codebreaking from ancient 
Egypt to the 20th century. </P>
<P> Diffie and Landau <A href="#diffie">Privacy on the Line: The 
Politics of Wiretapping and Encryption</A> covers the history from the 
First World War to the 1990s, with an emphasis on the US. </P>
<H4>World War II</H4>
 During the Second World War, the British &quot;Ultra&quot;project achieved one 
of the greatest intelligence triumphs in the history of warfare, 
breaking many Axis codes. One major target was the Enigma cipher 
machine, a German device whose users were convinced it was unbreakable. 
The American &quot;Magic&quot; project had some similar triumphs against Japanese 
codes. 
<P> There are many books on this period. See our bibliography for a 
few, or try a (web or library) search on &quot;Ultra&quot; and &quot;Enigma&quot;. Two 
books I particularly like are: </P>
<UL>
<LI>Andrew Hodges has done a superb <A href="http://www.turing.org.uk/book/">
biography</A> of Alan Turing, a key player among the Ultra 
codebreakers. Turing was also an important computer pioneer. The terms <A
href="http://www.abelard.org/turpap/turpap.htm">Turing test</A> and <A href="http://plato.stanford.edu/entries/turing-machine/">
Turing machine</A> are named for him, as is the <A href="http://www.acm.org">
ACM</A>'s highest  technical <A href="http://www.acm.org/awards/taward.html">
award</A>. </LI>
<LI> Neal Stephenson's <A href="#neal">Cryptonomicon</A> is a novel 
with cryptography central to the plot. Parts of it take place during WW 
II, other parts today. </LI>
</UL>
<P> Bletchley Park, where much of the Ultra work was done, now has a 
museum and a <A href="http://www.bletchleypark.org.uk/"> web site</A>. </P>
<P> The Ultra work introduced three major innovations. </P>
<UL>
<LI>The first break of Enigma was achieved by Polish Intelligence in 
1931. Until then most code-breakers had been linguists, but a different 
approach was needed  to break machine ciphers. Polish Intelligence 
realised this, recruited some clever young mathematicians, and 
succeeded in cracking the &quot;unbreakable&quot; Enigma. When war came in 1939, 
the Poles told their allies about this, putting Britain on the road to 
Ultra. The British also adopted a mathematical approach. </LI>
<LI>Machines were extensively used in the attacks. First the Polish 
&quot;Bombe&quot; for attacking Enigma, then British versions of it, then 
machines such as Collosus for attacking other codes. By the end of the 
war, some of these machines were beginning to closely resemble digital 
computers. After the war, a team at Manchester University, several old 
Ultra hands included, built one of the world's first actual 
general-purpose digital computers. </LI>
<LI>Ultra made codebreaking a large-scale enterprise, producing 
intelligence on an industrial scale. This was not a &quot;black chamber&quot;, 
not a hidden room in some obscure government building with a small crew 
of code-breakers. The whole operation -- from wholesale interception of 
enemy communications by stations around the world, through large-scale 
code-breaking and analysis of the decrypted material (with an enormous 
set of files for cross-referencing), to delivery of intelligence to 
field commanders -- was huge, and very carefully managed. </LI>
</UL>
<P> So by the end of the war, Allied code-breakers were expert at 
large-scale mechanised code-breaking. The payoffs were enormous. </P>
<H4><A name="postwar">Postwar and Cold War</A></H4>
 The wartime innovations were enthusiastically adopted by post-war and 
Cold War signals intelligence agencies. Presumably many nations now 
have some agency capable of sophisticated attacks on communications 
security, and quite a few engage in such activity on a large scale. 
<P> America's <A href="#NSA">NSA</A>, for example, is said to be both 
the world's largest employer of mathematicians and the world's largest 
purchaser of computer equipment. Such claims may be somewhat 
exaggerated, but beyond doubt the NSA -- and similar agencies in other 
countries -- have some excellent mathematicians, lots of powerful 
computers, sophisticated software, and the organisation and funding to 
apply them on a large scale. Details of the NSA budget are secret, but 
there are some published <A href="http://www.fas.org/irp/nsa/nsabudget.html">
estimates</A>. </P>
<P> Changes in the world's communications systems since WW II have 
provided these agencies with new targets. Cracking the codes used on an 
enemy's military or diplomatic communications has been common practice 
for centuries. Extensive use of radio in war made large-scale attacks 
such as Ultra possible. Modern communications make it possible to go 
far beyond that. Consider listening in on cell phones, or intercepting 
electronic mail, or tapping into the huge volumes of data on new media 
such as fiber optics or satellite links. None of these targets existed 
in 1950. All of them can be attacked today, and almost certainly are 
being attacked. </P>
<P> The Ultra story was not made public until the 1970s. Much of the 
recent history of codes and code-breaking has not been made public, and 
some of it may never be. Two important books are: </P>
<UL>
<LI>Bamford's <A href="#puzzle">The Puzzle Palace</A>, a history of the 
NSA </LI>
<LI>Hager's <A href="http://www.fas.org/irp/eprint/sp/index.html">
Secret Power</A>, about the <A href="http://sg.yahoo.com/government/intelligence/echelon_network/">
Echelon</A> system -- the US, UK, Canada, Australia and New Zealand 
co-operating to monitor much of the world's communications. </LI>
</UL>
<P> Note that these books cover only part of what is actually going on, 
and then only the activities of nations open and democratic enough that 
(some of) what they are doing can be discovered. A full picture, 
including:</P>
<UL>
<LI>actions of the English-speaking democracies not covered in those 
books </LI>
<LI>actions of other more-or-less sane governments </LI>
<LI>the activities of various more-or-less insane governments </LI>
<LI>possibilities for unauthorized action by government employees </LI>
</UL>
<P> might be really frightening. </P>
<H4><A name="recent">Recent history -- the crypto wars</A></H4>
 Until quite recently, cryptography was primarily a concern of 
governments, especially of the military, of spies, and of diplomats. 
Much of it was extremely secret. 
<P> In recent years, that has changed a great deal. With computers and 
networking becoming ubiquitous, cryptography is now important to almost 
everyone. Among the developments since the 1970s: </P>
<UL>
<LI>The US gov't established the Data Encryption Standard, <A href="#DES">
DES</A> standard, a <A href="#block">block cipher</A> for cryptographic 
protection of unclassfied documents. It has also been widely used in 
industry. </LI>
<LI><A href="#public">Public key</A> cryptography was invented by 
Diffie and Hellman. </LI>
<LI>Academic conferences such as <A href="http://www-cse.ucsd.edu/users/mihir/crypto2k.html">
Crypto</A> and <A href="http://www.esat.kuleuven.ac.be/cosic/eurocrypt2000/">
Eurocrypt</A> began. </LI>
<LI>Several companies began offerring cryptographic products: <A href="#RSAco">
RSA</A>, <A href="#PGPI">PGP</A>, the many vendors with <A href="#PKI">
PKI</A> products, ... </LI>
<LI>Cryptography appeared in other products: operating systems, word 
processors, ... </LI>
<LI>Network protocols based on crypto were developed: <A href="#SSH">
 SSH</A>, <A href="#SSL">SSL</A>, <A href="#IPSEC"> IPSEC</A>, ... </LI>
<LI>Crytography came into widespread use to secure bank cards, 
terminals, ... </LI>
<LI>The US government replaced <A href="#DES">DES</A> with the much 
stronger Advanced Encryption Standard, <A href="#AES">AES</A></LI>
</UL>
<P> This has led to a complex ongoing battle between various mainly 
government groups wanting to control the spread of crypto and various 
others, notably the computer industry and the  &quot;cypherpunk&quot; crypto 
advocates, wanting to encourage widespread use. </P>
<P> Steven Levy has written a fine history of much of this, called <A href="#crypto">
Crypto: How the Code rebels Beat the Government -- Saving Privacy in 
the Digital Age</A>. </P>
<P> The FreeS/WAN project is to a large extent an outgrowth of <A href="http://world.std.com/~franl/crypto/cypherpunks.html">
cypherpunk</A> ideas. Our reasons for doing the project can be  seen in 
these quotes from the <A href="http://www.eff.org/pub/Privacy/Crypto_misc/cypherpunk.manifesto">
Cypherpunk Manifesto</A>: <BLOCKQUOTE> Privacy is necessary for an open 
society in the electronic age. ... 
<P> We cannot expect governments, corporations, or other large, 
faceless organizations to grant us privacy out of their beneficence. 
 It is to their advantage to speak of us, and  we should expect that 
they will speak. ... </P>
<P> We must defend our own privacy if we expect to have any. ... </P>
<P> Cypherpunks write code.  We know that someone has to write software 
to defend privacy, and since we can't get privacy unless we all do, 
we're going to write it. We publish our code so that our fellow 
Cypherpunks may practice and play with it. Our code is free for all to 
use, worldwide.  We don't much care if you don't approve of the 
software we write.  We know that software can't be destroyed and that a 
widely dispersed system can't be shut down. </P>
<P> Cypherpunks deplore regulations on cryptography, for encryption is 
fundamentally a private act. ... </P>
<P> For privacy to be widespread it must be part of a social contract. 
People must come and together deploy these systems for the common good. 
... </P>
</BLOCKQUOTE> To quote project leader John Gilmore: <BLOCKQUOTE> We are 
literally in a race between our ability to build and deploy 
 technology, and their ability to build and deploy laws and treaties. 
 Neither side is likely to back down or wise up until it has 
definitively  lost the race. </BLOCKQUOTE></P>
<P> If FreeS/WAN reaches its goal of making <A href="#opp.intro">
opportunistic encryption</A> widespread so that secure communication 
can become the default for a large part of the net, we will have struck 
a major blow. </P>
<H3><A name="intro.poli">Politics</A></H3>
 The political problem is that nearly all governments want to monitor 
their enemies' communications, and some want to monitor their citizens. 
They may be very interested in protecting some of their own 
communications, and often some types of business communication, but not 
in having everyone able to communicate securely. They therefore attempt 
to restrict availability of strong cryptography as much as possible.
<P> Things various governments have tried or are trying include:</P>
<UL>
<LI>Echelon, a monitor-the-world project of the US, UK, NZ, Australian 
and  Canadian <A href="#SIGINT">signals intelligence</A> agencies. See 
this <A href="http://sg.yahoo.com/government/intelligence/echelon_network/">
 collection</A> of links and  this <A href="http://www.zdnet.com/zdnn/stories/news/0,4586,2640682,00.html">
story</A> on the French Parliament's reaction.</LI>
<LI>Others governments may well have their own Echelon-like projects. 
To quote  the Dutch Minister of Defense, as reported in a German <A href="http://www.heise.de/tp/english/inhalt/te/4729/1.html">
 magazine</A>: <BLOCKQUOTE> The government believes not only the 
governments associated with Echelon are  able to intercept 
communication systems, but that it is an activity of the  investigative 
authorities and intelligence services of many countries with 
 governments of different political signature. </BLOCKQUOTE> Even if 
they have nothing on the scale of Echelon, most intelligence agencies 
and  police forces certainly have some interception capability. </LI>
<LI><A href="#NSA">NSA</A> tapping of submarine communication cables, 
described  in <A href="http://www.zdnet.com/zdnn/stories/news/0,4586,2764372,00.html">
this article</A></LI>
<LI>A proposal for international co-operation on <A href="http://www.heise.de/tp/english/special/enfo/4306/1.html">
 Internet surveillance</A>.</LI>
<LI>Alleged <A href="http://cryptome.org/nsa-sabotage.htm">sabotage</A>
 of security  products by the <A href="#NSA">NSA</A> (the US signals 
intelligence agency).</LI>
<LI>The German armed forces and some government departments will stop 
using American software for fear of NSA  &quot;back doors&quot;, according to 
this <A href="http://www.theregister.co.uk/content/4/17679.html">news 
story</A>. </LI>
<LI>The British Regulation of Investigatory Powers bill. See  this <A href="http://www.fipr.org/rip/index.html">
web page.</A> and  perhaps this <A href="http://ars.userfriendly.org/cartoons/?id=20000806&amp;mode=classic">
cartoon</A>.</LI>
<LI>A Russian <A href="http://www.eff.org/pub/Privacy/Foreign_and_local/Russia/russian_crypto_ban_english.edict">
ban</A> on cryptography</LI>
<LI>Chinese <A href="http://www.eff.org/pub/Misc/Publications/Declan_McCullagh/www/global/china">
controls</A> on net use.</LI>
<LI>The FBI's carnivore system for covert searches of email. See this <A href="http://www.zdnet.com/zdnn/stories/news/0,4586,2601502,00.html">
news  coverage</A> and this <A href="http://www.crypto.com/papers/carnivore-risks.html">
risk  assessment</A>. The government had an external review of some 
aspects of this system done.  See this <A href="http://www.crypto.com/papers/carnivore_report_comments.html">
analysis</A> of that review. Possible defenses against Carnivore 
include: 
<UL>
<LI><A href="#PGP">PGP</A> for end-to-end mail encryption </LI>
<LI><A href="http://www.home.aone.net.au/qualcomm/">secure sendmail</A>
 for server-to-server  encryption </LI>
<LI>IPSEC encryption on the underlying IP network </LI>
</UL>
</LI>
<LI>export laws restricting strong cryptography as a munition. See <A href="#exlaw">
 discussion</A> below.</LI>
<LI>various attempts to convince people that fundamentally flawed 
cryptography,  such as encryption with a <A href="#escrow">back door</A>
 for government  access to data or with <A href="#shortkeys">inadequate 
key lengths</A>,  was adequate for their needs. </LI>
</UL>
<P> Of course governments are by no means the only threat to privacy 
and security on the net. Other threats include:</P>
<P>
<UL>
<LI>industrial espionage, as for example in this <A href="http://www.zdnet.com/zdnn/stories/news/0,4586,2626931,00.html">
news story</A></LI>
<LI>attacks by organised criminals, as in this <A href="http://www.sans.org/newlook/alerts/NTE-bank.htm">
 large-scale attack</A></LI>
<LI>collection of personal data by various companies. 
<UL>
<LI>for example, consider the various corporate winners of Privacy 
International's <A href="http://www.privacyinternational.org/bigbrother/">
Big Brother Awards</A>.</LI>
<LI><A href="http://www.zeroknowledge.com">Zero Knowledge</A> sell 
tools to defend against this</LI>
</UL>
</LI>
<LI>individuals may also be a threat in a variety of ways and for a 
variety of reasons </LI>
<LI>in particular, an individual with access to government or industry 
data collections could do considerable damage using that data in 
unauthorized ways. </LI>
</UL>
<P> One <A href="http://www.zdnet.com/zdnn/stories/news/0,4586,2640674,00.html">
study</A> enumerates threats and possible responses for small and 
medium businesses. VPNs are a key part of the suggested strategy. </P>
<P> We consider privacy a human right. Our objective is to help make 
privacy possible on the Internet using cryptography strong enough not 
even those well-funded government agencies are likely to break it. If 
we can do that, the chances of anyone else breaking it are negliible. </P>
<H3><A NAME="11_1_3">Links</A></H3>
 Many groups are working in different ways to defend privacy on the net 
and elsewhere. Please consider contributing to one or more of these 
groups: 
<UL>
<LI>the EFF's <A href="http://www.eff.org/crypto/">Privacy Now!</A>
 campaign</LI>
<LI>the <A href="http://www.gilc.org">Global Internet Liberty  Campaign</A>
</LI>
<LI><A href="http://www.cpsr.org/program/privacy/privacy.html">Computer 
Professionals for Social Responsibility</A></LI>
</UL>
<P> For more on these issues see: </P>
<UL>
<LI>Steven Levy (Newsweek's chief technology writer and author of the 
classic &quot;Hackers&quot;) new book <A href="#crypto"> Crypto: How the Code 
Rebels Beat the Government--Saving  Privacy in the Digital Age</A></LI>
<LI>Simson Garfinkel (Boston Globe columnist and author of books on <A href="#PGP">
PGP</A> and <A href="#practical"> Unix Security</A>) book <A href="#Garfinkel">
Database Nation: the death  of privacy in the 21st century</A></LI>
<LI>an <A href="http://www.immaterial.net/page.php3?id=44">interview</A>
 with Eblen Morgan (general counsel to the <A href="">Free Software 
Foundation</A> and a professor at Columbia Law School) on the 
&quot;encryption wars&quot;. </LI>
</UL>
<P> See also the <A href="biblio.html">bibliography</A> and our list of <A
href="#policy">web references</A> on cryptography law and policy.</P>
<H3><A NAME="11_1_4">Outline of this section</A></H3>
<P> The remainder of this section includes two pieces of writing by our 
 project leader</P>
<UL>
<LI>his <A href="#gilmore">rationale</A> for starting this</LI>
<LI>another <A href="#policestate">discussion</A> of project goals</LI>
</UL>
<P>and discussions of:</P>
<UL>
<LI><A href="#desnotsecure">why we do not use DES</A></LI>
<LI><A href="#exlaw">cryptography export laws</A></LI>
<LI>why <A href="#escrow">government access to keys</A> is not a good 
 idea</LI>
<LI>the myth that <A href="#shortkeys">short keys</A> are adequate for 
 some security requirements</LI>
</UL>
<P> and a section on <A href="#press">press coverage of FreeS/WAN</A>.</P>
<H2><A name="leader">From our project leader</A></H2>
<P> FreeS/WAN project founder John Gilmore wrote a web page about why 
we are doing this. The version below is slightly edited, to fit this 
format and to update some links. For a version without these edits, see 
his <A href="http://www.toad.com/gnu/">home page</A>.</P>
<CENTER>
<H3><A name="gilmore">Swan: Securing the Internet against Wiretapping</A>
</H3>
</CENTER>
<P>My project for 1996 was to <B>secure 5% of the Internet traffic 
against  passive wiretapping</B>. It didn't happen in 1996, so I'm 
still working on  it in 1997, 1998, and 1999! If we get 5% in 1999 or 
2000, we can secure 20%  the next year, against both active and passive 
attacks; and 80% the  following year.  Soon the whole Internet will be 
private and secure. The  project is called S/WAN or S/Wan or Swan for 
Secure Wide Area Network; since  it's free software, we call it 
FreeSwan to distinguish it from various  commercial implementations. <A href="http://www.rsa.com/rsa/SWAN/">
RSA</A> came up with the term &quot;S/WAN&quot;. Our main web site is at <A href="http://www.freeswan.org/">
http://www.freeswan.org/</A>. Want to  help?</P>
<P>The idea is to deploy PC-based boxes that will sit between your 
local  area network and the Internet (near your firewall or router) 
which  opportunistically encrypt your Internet packets.  Whenever you 
talk to a  machine (like a Web site) that doesn't support encryption, 
your traffic goes  out &quot;in the clear&quot; as usual.  Whenever you connect 
to a machine that does  support this kind of encryption, this box 
automatically encrypts all your  packets, and decrypts the ones that 
come in.  In effect, each packet gets  put into an &quot;envelope&quot; on one 
side of the net, and removed from the envelope  when it reaches its 
destination.  This works for all kinds of Internet  traffic, including 
Web access, Telnet, FTP, email, IRC, Usenet, etc.</P>
<P>The encryption boxes are standard PC's that use freely available 
Linux  software that you can download over the Internet or install from 
a cheap  CDROM.</P>
<P>This wasn't just my idea; lots of people have been working on it for 
 years. The encryption protocols for these boxes are called <A href="#IPSEC">
IPSEC (IP Security)</A>. They have been developed by the <A href="http://www.ietf.cnri.reston.va.us/html.charters/ipsec-charter.html">
IP  Security Working Group</A> of the <A href="http://www.ietf.org/">
Internet  Engineering Task Force</A>, and will be a standard part of 
the next major  version of the Internet protocols (<A href="http://playground.sun.com/pub/ipng/html/ipng-main.html">
IPv6</A>). For  today's (IP version 4) Internet, they are an option.</P>
<P>The <A href="http://www.iab.org/iab">Internet Architecture Board</A>
 and <A href="http://www.ietf.org/"> Internet Engineering Steering Group</A>
 have  taken a <A href="iab-iesg.stmt">strong stand</A> that the 
Internet should  use powerful encryption to provide security and 
privacy.  I think these  protocols are the best chance to do that, 
because they can be deployed very  easily, without changing your 
hardware or software or retraining your users.  They offer the best 
security we know how to build, using the Triple-DES,  RSA, and 
Diffie-Hellman algorithms.</P>
<P>This &quot;opportunistic encryption box&quot; offers the &quot;fax effect&quot;.  As 
each  person installs one for their own use, it becomes more valuable 
for their  neighbors to install one too, because there's one more 
person to use it  with. The software automatically notices each newly 
installed box, and  doesn't require a network administrator to 
reconfigure it.  Instead of  &quot;virtual private networks&quot; we have a &quot;REAL 
private network&quot;; we add privacy  to the real network instead of 
layering a manually-maintained virtual  network on top of an insecure 
Internet.</P>
<H4>Deployment of IPSEC</H4>
<P>The US government would like to control the deployment of IP 
Security  with its <A href="#exlaw">crypto export laws</A>. This isn't 
a problem for  my effort, because the cryptographic work is happening 
outside the United  States. A foreign philanthropist, and others, have 
donated the resources  required to add these protocols to the Linux 
operating system. <A href="http://www.linux.org/">Linux</A> is a 
complete, freely available  operating system for IBM PC's and several 
kinds of workstation, which is  compatible with Unix.  It was written 
by Linus Torvalds, and is still  maintained by a talented team of 
expert programmers working all over the  world and coordinating over 
the Internet.  Linux is distributed under the <A href="#GPL">GNU Public 
License</A>, which gives everyone the right to copy  it, improve it, 
give it to their friends, sell it commercially, or do just  about 
anything else with it, without paying anyone for the privilege.</P>
<P>Organizations that want to secure their network will be able to put 
two  Ethernet cards into an IBM PC, install Linux on it from a $30 
CDROM or by  downloading it over the net, and plug it in between their 
Ethernet and their  Internet link or firewall. That's all they'll have 
to do to encrypt their  Internet traffic everywhere outside their own 
local area network.</P>
<P>Travelers will be able to run Linux on their laptops, to secure 
their  connection back to their home network (and to everywhere else 
that they  connect to, such as customer sites). Anyone who runs Linux 
on a standalone  PC will also be able to secure their network 
connections, without changing  their application software or how they 
operate their computer from day to  day.</P>
<P>There will also be numerous commercially available firewalls that 
use  this technology. <A href="http://www.rsa.com/">RSA Data Security</A>
 is  coordinating the <A href="http://www.rsa.com/rsa/SWAN">S/Wan 
(Secure Wide  Area Network)</A> project among more than a dozen vendors 
who use these  protocols. There's a <A href="http://www.rsa.com/rsa/SWAN/swan_test.htm">
compatability chart</A> that shows which vendors have tested their 
boxes against which other vendors  to guarantee interoperatility.</P>
<P>Eventually it will also move into the operating systems and 
networking  protocol stacks of major vendors.  This will probably take 
longer, because  those vendors will have to figure out what they want 
to do about the export  controls.</P>
<H4>Current status</H4>
<P>My initial goal of securing 5% of the net by Christmas '96 was not 
met.  It was an ambitious goal, and inspired me and others to work 
hard, but was  ultimately too ambitious.  The protocols were in an 
early stage of  development, and needed a lot more protocol design 
before they could be  implemented.  As of April 1999, we have released 
version 1.0 of the software  (<A href="ftp://ftp.xs4all.nl/freeswan/freeswan-1.0.tar.gz">
freeswan-1.0.tar.gz</A>),  which is suitable for setting up Virtual 
Private Networks using shared  secrets for authentication.  It does not 
yet do opportunistic encryption, or  use DNSSEC for authentication; 
those features are coming in a future  release.</P>
<DL>
<DT>Protocols</DT>
<DD>The low-level encrypted packet formats are defined.  The system for 
 publishing keys and providing secure domain name service is defined. 
 The IP Security working group has settled on an NSA-sponsored protocol 
 for key agreement (called ISAKMP/Oakley), but it is still being worked 
 on, as the protocol and its documentation is too complex and 
 incomplete. There are prototype implementations of ISAKMP.  The 
 protocol is not yet defined to enable opportunistic encryption or the 
 use of DNSSEC keys.</DD>
<DT>Linux Implementation</DT>
<DD>The Linux implementation has reached its first major release and is 
 ready for production use in manually-configured networks, using Linux 
 kernel version 2.0.36.</DD>
<DT>Domain Name System Security</DT>
<DD>There is now a release of BIND 8.2 that includes most DNS Security 
 features. </DD>
<P>The first prototype implementation of Domain Name System Security 
 was funded by <A href="#DARPA">DARPA</A> as part of their <A href="http://www.darpa.mil/ito/research/is/index.html">
Information  Survivability program</A>. <A href="http://www.tis.com">
Trusted  Information Systems</A> wrote a modified version of <A href="http://www.isc.org/bind.html">
BIND</A>, the widely-used Berkeley  implementation of the Domain Name 
System.</P>
<P>TIS, ISC, and I merged the prototype into the standard version of 
 BIND. The first production version that supports KEY and SIG records 
 is <B>bind-4.9.5</B>. This or any later version of BIND will do for 
 publishing keys.  It is available from the <A href="http://www.isc.org/bind.html">
Internet Software Consortium</A>.  This version of BIND is not 
export-controlled since it does not  contain any cryptography.  Later 
releases starting with BIND 8.2  include cryptography for 
authenticating DNS records, which is also  exportable. Better 
documentation is needed.</P>
</DL>
<H4>Why?</H4>
<P>Because I can.  I have made enough money from several successful 
startup  companies, that for a while I don't have to work to support 
myself. I spend  my energies and money creating the kind of world that 
I'd like to live in  and that I'd like my (future) kids to live in. 
Keeping and improving on the  civil rights we have in the United 
States, as we move more of our lives into  cyberspace, is a particular 
goal of mine.</P>
<H4>What You Can Do</H4>
<DL>
<DT>Install the latest BIND at your site.</DT>
<DD>You won't be able to publish any keys for your domain, until you 
 have upgraded your copy of BIND.  The thing you really need from it is 
 the new version of <I>named</I>, the Name Daemon, which knows about 
 the new KEY and SIG record types.  So, download it from the <A href="http://www.isc.org/bind.html">
Internet Software Consortium </A> and install it on your name server 
machine (or get your system  administrator, or Internet Service 
Provider, to install it).  Both  your primary DNS site and all of your 
secondary DNS sites will need  the new release before you will be able 
to publish your keys.  You can  tell which sites this is by running the 
Unix command &quot;dig MYDOMAIN ns&quot;  and seeing which sites are mentioned in 
your NS (name server)  records.</DD>
<DT>Set up a Linux system and run a 2.0.x kernel on it</DT>
<DD>Get a machine running Linux (say the 5.2 release from <A href="http://www.redhat.com">
Red Hat</A>). Give the machine two  Ethernet cards.</DD>
<DT>Install the Linux IPSEC (Freeswan) software</DT>
<DD>If you're an experienced sysadmin or Linux hacker, install the 
 freeswan-1.0 release, or any later release or snapshot. These releases 
 do NOT provide automated &quot;opportunistic&quot; operation; they must be 
 manually configured for each site you wish to encrypt with.</DD>
<DT>Get on the linux-ipsec mailing list</DT>
<DD>The discussion forum for people working on the project, and testing 
 the code and documentation, is: linux-ipsec@clinet.fi. To join this 
 mailing list, send email to <A href="mailto:linux-ipsec-REQUEST@clinet.fi">
linux-ipsec-REQUEST@clinet.fi</A> containing a line of text that says 
&quot;subscribe linux-ipsec&quot;. (You can  later get off the mailing list the 
same way -- just send &quot;unsubscribe  linux-ipsec&quot;).</DD>
<P>
<DT>Check back at this web page every once in a while</DT>
<DD>I update this page periodically, and there may be new information 
in  it that you haven't seen.  My intent is to send email to the 
mailing  list when I update the page in any significant way, so 
subscribing to  the list is an alternative.</DD>
</DL>
<P>Would you like to help?  I can use people who are willing to write 
 documentation, install early releases for testing, write cryptographic 
code  outside the United States, sell pre-packaged software or systems 
including  this technology, and teach classes for network 
administrators who want to  install this technology. To offer to help, 
send me email at gnu@toad.com.  Tell me what country you live in and 
what your citizenship is (it matters  due to the export control laws; 
personally I don't care).  Include a copy of  your resume and the URL 
of your home page.  Describe what you'd like to do  for the project, 
and what you're uniquely qualified for.  Mention what other  volunteer 
projects you've been involved in (and how they worked out).  Helping 
out will require that you be able to commit to doing particular 
 things, meet your commitments, and be responsive by email.  Volunteer 
 projects just don't work without those things.</P>
<H4>Related projects</H4>
<DL>
<DT>IPSEC for NetBSD</DT>
<DD>This prototype implementation of the IP Security protocols is for 
 another free operating system. <A href="ftp://ftp.funet.fi/pub/unix/security/net/ip/BSDipsec.tar.gz">
Download  BSDipsec.tar.gz</A>.</DD>
<DT>IPSEC for <A href="http://www.openbsd.org">OpenBSD</A></DT>
<DD>This prototype implementation of the IP Security protocols is for 
 yet another free operating system.  It is directly integrated into the 
 OS release, since the OS is maintained in Canada, which has freedom of 
 speech in software.</DD>
</DL>
<H3><A name="policestate">Stopping wholesale monitoring</A></H3>
<P>From a message project leader John Gilmore posted to the mailing 
 list:</P>
<PRE>
John Denker wrote:

&gt; Indeed there are several ways in which the documentation overstates the 
&gt; scope of what this project does -- starting with the name 
&gt; FreeS/WAN.  There's a big difference between having an encrypted IP tunnel 
&gt; versus having a Secure Wide-Area Network.  This software does a fine job of 
&gt; the former, which is necessary but not sufficient for the latter.

The goal of the project is to make it very hard to tap your wide area
communications.  The current system provides very good protection
against passive attacks (wiretapping and those big antenna farms).
Active attacks, which involve the intruder sending packets to your
system (like packets that break into sendmail and give them a root
shell :-) are much harder to guard against.  Active attacks that
involve sending people (breaking into your house and replacing parts
of your computer with ones that transmit what you're doing) are also
much harder to guard against.  Though we are putting effort into
protecting against active attacks, it's a much bigger job than merely
providing strong encryption.  It involves general computer security,
and general physical security, which are two very expensive problems
for even a site to solve, let alone to build into a whole society.

The societal benefit of building an infrastructure that protects
well against passive attacks is that it makes it much harder to do
undetected bulk monitoring of the population.  It's a defense against
police-states, not against policemen.

Policemen can put in the effort required to actively attack sites that
they have strong suspicions about.  But police states won't be able to
build systems that automatically monitor everyone's communications.
Either they will be able to monitor only a small subset of the
populace (by targeting those who screwed up their passive security),
or their monitoring activities will be detectable by those monitored
(active attacks leave packet traces or footprints), which can then be
addressed through the press and through political means if they become
too widespread.

FreeS/WAN does not protect very well against traffic analysis, which
is a kind of widespread police-state style monitoring that still
reveals significant information (who's talking to who) without
revealing the contents of what was said.  Defenses against traffic
analysis are an open research problem.  Zero Knowledge Systems is
actively deploying a system designed to thwart it, designed by Ian
Goldberg.  The jury is out on whether it actually works; a lot more
experience with it will be needed.
</PRE>
<P> Notes on things mentioned in that message: </P>
<UL>
<LI>Denker is a co-author of a <A href="#applied">paper</A> on a large 
FreeS/WAN application.</LI>
<LI> Information on Zero Knowledge is on their <A href="http://www.zks.net/">
web site</A>. Their Freedom product is designed to provide untracable 
pseudonyms for use on the net.</LI>
<LI>Another section of our documentation discusses ways to <A href="#traffic.resist">
resist traffic analysis</A>. </LI>
</UL>
<H2><A name="weak">Government promotion of weak crypto</A></H2>
<P> Various groups, especially governments and especially the US 
government, have a long history of advocating various forms of bogus 
security.</P>
<P> We regard bogus security as extremely dangerous. If users are 
deceived into relying on bogus security, then they may be exposed to 
large risks. They would be better off having no security and knowing 
it. At least then they would be careful about what they said.</P>
<P><STRONG> Avoiding bogus security is a key design criterion for 
everything we do in FreeS/WAN</STRONG>. The most conspicuous example is 
our refusal to support <A href="desnotsecure">single DES</A>. Other 
IPSEC &quot;features&quot; which we do not implement are discussed in our <A href="#dropped">
compatibility</A> document.</P>
<H3><A name="escrow">Escrowed encryption</A></H3>
<P> Various governments have made persistent attempts to encourage or 
mandate &quot;escrowed encrytion&quot;, also called &quot;key recovery&quot;, or GAK for 
&quot;government access to keys&quot;. The idea is that cryptographic keys be 
held by some third party and turned over to law enforcement or security 
agencies under some conditions.</P>
<PRE>
  Mary had cryptography
  Her keys were in escrow
  And everything that Mary said
  The feds were sure to know
</PRE>
 (If anyone knows the origin of that ditty, let <A href="mailto:sandy@storm.ca">
let me know</A> so I can credit the author.) 
<P> There is an excellent paper available on <A href="http://www.cdt.org/crypto/risks98/">
Risks of Escrowed Encryption</A>, from a group of cryptographic 
luminaries which included our project leader.</P>
<P> Like any unnecessary complication, GAK tends to weaken security of 
any design it infects. For example: </P>
<UL>
<LI>Matt Blaze found a fatal flaw in the US government's Clipper chip 
shortly after design information became public. See his paper &quot;Protocol 
Failure in the Escrowed Encryption Standard&quot; on his <A href="http://www.crypto.com/papers/">
papers</A> page.</LI>
<LI>a rather <A href="http://www.pgp.com/other/advisories/adk.asp">
nasty bug</A> has recently been found in the &quot;additional decryption 
keys&quot; &quot;feature&quot; of recent releases of <A href="#PGP">PGP</A></LI>
</UL>
<P> FreeS/WAN does not support escrowed encryption, and never will.</P>
<H3><A name="shortkeys">Limited key lengths</A></H3>
<P> Various governments, and some vendors, have also made persistent 
attempts to convince people that: </P>
<UL>
<LI>weak systems are sufficient for some data </LI>
<LI>strong cryptography should be reserved for cases where the extra 
overheads are justified </LI>
</UL>
<STRONG> This is nonsense</STRONG>.
<P> Weak systems touted include:</P>
<UL>
<LI>the ludicrously weak (deliberately crippled) 40-bit ciphers that 
until  recently were all various <A href="#exlaw">export laws</A>
 allowed</LI>
<LI>56-bit single DES, discussed <A href="#desnotsecure">below</A></LI>
<LI>64-bit symmetric ciphers and 512-bit RSA, the maximums for 
unrestricted  export under various current laws</LI>
</UL>
<P> The notion that choice of ciphers or keysize should be determined 
by a trade-off between security requirements and overheads is pure 
bafflegab.</P>
<UL>
<LI>For most <A href="#symmetric">symmetric ciphers</A>, it is simply a 
 lie. Any block cipher has some natural maximum keysize inherent in the 
 design -- 128 bits for <A href="#IDEA">IDEA</A> or <A href="#CAST128">
 CAST-128</A>, 256 for any of the <A href="#AES"> AES</A> ciphers, 448 
for <A href="#Blowfish">Blowfish</A> and 2048 for <A href="#RC4"> RC4</A>
. Using any key size up to that natural limit the  overheads are 
exactly what they would be for the crippled 40-bit or  64-bit version 
of the cipher.</LI>
<LI>For the special case of <A href="#3DES">triple DES</A> there is a 
 grain of truth in the argument. 3DES is indeed three times slower than 
 single DES. Of course it is also fast enough for many applications. In 
 cases where it isn't, the solution is not to use the insecure single 
 DES, but to pick a faster secure cipher. <A href="#CAST128"> CAST-128</A>
, <A href="#Blowfish"> Blowfish</A> and the <A href="#AES"> AES 
candidate</A> ciphers are are all considerably faster in software than 
DES (let alone  3DES), and apparently secure.</LI>
<LI>For <A href="#public">public key</A> techniques, there are extra 
 overheads for larger keys, but they generally do not affect overall 
 performance significantly. Practical public key applications are 
usually <A href="#hybrid">hybrid</A> systems in which the bulk of the 
work is done  by a symmetric cipher. The effect of increasing the cost 
of the public  key operations is typically negligible because the 
public key operations  use only a tiny fraction of total resources. </LI>
<P> For example, suppose public key  operations use use 1% of the time 
in a hybrid system and you triple the  cost of public key operations. 
The cost of symmetric cipher operations  is unchanged at 99% of the 
original total cost, so the overall effect is a  jump from 99 + 1 = 100 
to 99 + 3 = 102, a 2% rise in system cost.</P>
</UL>
<P> In short, <STRONG>there has never been any technical reason to use 
inadequate ciphers</STRONG>. The only reason there has ever been for 
anyone to use such ciphers is that government agencies want weak 
ciphers used so that they can crack them. The alleged savings are 
simply propaganda.</P>
<P> Of course, making systems secure does involve costs, and trade-offs 
can be made between cost and security. There can be substantial 
hardware and software costs. There are almost always substantial staff 
or contracting costs: </P>
<UL>
<LI>Security takes staff time for planning, implementation and 
auditing. Some of the issues are subtle; you need good (hence often 
expensive) people for this. </LI>
<LI>You also need people to monitor your systems and respond to 
problems. The best safe ever built is insecure if an attacker can work 
on it for days without anyone noticing. Any computer is insecure if the 
administrator is &quot;too busy&quot; to check the logs. </LI>
<LI>Moreover, someone in your organisation (or on contract to it) needs 
to spend considerable time keeping up with new developments. 
<UL>
<LI>When some novel attack threatens some program you use, someone 
should notice. </LI>
<LI>When the vendor provides a patch that fixes the vulnerability, 
someone should apply it. </LI>
<P> For a fairly awful example, see this <A href="http://www.sans.org/newlook/alerts/NTE-bank.htm">
report</A>. In that case over a million credit card numbers were taken 
from e-commerce sites, using security flaws in Windows NT servers. 
Microsoft had long since released patches for most or all of the flaws, 
but the site administrators had not applied them. </P>
<LI>If the vendor does nothing, someone should do at least one of: 
<UL>
<LI>raise hell with the vendor </LI>
<LI> raise the question of changing vendors </LI>
</UL>
</LI>
</UL>
 At an absolute minimum, you must do something about such issues <EM>
before</EM> an exploitation tool is posted to the net for downloading 
by dozens of &quot;script kiddies&quot;. Such a tool might appear at any time 
from the announcement of the security hole to several months later. 
Once it appears, anyone with a browser and an attitude can break any 
system whose administrators have done nothing about the flaw. </LI>
<LI>There are often substantial training costs, both to train 
administrators and to increase user awareness of security issues and 
procedures.</LI>
</UL>
<P> Compared to those costs, cipher overheads are an insignificant 
factor in the cost of security. Note, however, that choosing an 
insecure cipher can cause all your other investment to be wasted.</P>
<P> Our policy in FreeS/WAN is to use only cryptographic components 
with adequate keylength and no known weaknesses. </P>
<UL>
<LI>We do not implement single DES because it is clearly <A href="#desnotsecure">
insecure</A>, so implemeting it would violate our policy of avoiding 
bogus security. Our default cipher is <A href="#3DES">3DES</A></LI>
<LI> Similarly, we do not implement the 768-bit Group 1 for <A href="#DH">
Diffie-Hellman</A> key negotiation. It is not clear that this is 
secure, so we provide only the 1024-bit Group 2 and 1536-bit Group 5.</LI>
</UL>
<P> These decisions imply that we cannot fully conform to the IPSEC 
RFCs, since those have DES as the only required cipher and Group 1 as 
the only required DH group. (In our view, the standards were subverted 
into offerring bogus security.) Fortunately, we can still interoperate 
with most other IPSEC implementations since nearly all implementers 
provide at least 3DES and Group 2 as well.</P>
<P> We hope that eventually the RFCs will catch up with our (and 
others') current practice and reject dubious components. Some of our 
team and a number of others are working on this in <A href="#IETF">IETF</A>
 working groups.</P>
<H2><A name="exlaw">Cryptography Export Laws</A></H2>
<P>Many nations restrict the export of cryptography and some restrict 
its  use by their citizens or others within their borders.</P>
<H3><A name="USlaw">US Law</A></H3>
<P>US laws, as currently interpreted by the US government, forbid 
export of  most cryptographic software from the US in machine-readable 
form without  government permission. In general, the restrictions apply 
even if the  software is widely-disseminated or public-domain and even 
if it came from  outside the US originally. Cryptography is legally a 
munition and export is  tightly controlled under the <A href="#EAR">EAR</A>
 Export Administration  Regulations.</P>
<P>If you are a US citizen, your brain is considered US territory no 
matter  where it is physically located at the moment. The US believes 
that its laws  apply to its citizens everywhere, not just within the 
US. Providing  technical assistance or advice to foreign &quot;munitions&quot; 
projects is illegal.  The US government has very little sense of humor 
about this issue and does  not consider good intentions to be 
sufficient excuse. Beware.</P>
<P>The <A href="http://www.bxa.doc.gov/Encryption/">official website</A>
 for  these regulations is run by the Commerce Department's Bureau of 
Export  Administration (BXA). Information on various challenges to them 
is  indexed in the <A href="ftp://ftp.cygnus.com/pub/export/export.html">
Cryptography Export Control Archives</A>. </P>
<P> The <A href="http://www.eff.org/bernstein/">Bernstein case</A>
 challenges the export restrictions on Constitutional grounds. Code is 
speech so restrictions on export of code violate the First Amendment's 
free speech provisions. This argument has succeeded in two levels of 
court so far. It is quite likely to go on to the Supreme Court.</P>
<P> The regulations were changed substantially in January 2000, 
apparently as a government attempt to get off the hook in the Bernstein 
case. It is now legal to export public domain source code for 
encryption, provided you notify the <A href="#BXA">BXA</A>. </P>
<P> There are, however, still restrictions in force. See this <A href="">
article</A>. Moreover, the regulations can still be changed again 
whenever the government chooses to do so. Short of a Supreme Court 
ruling (in the Berstein case or another) that overturns the regulations 
completely, the problem of export regulation is not likely to go away 
in the forseeable future. </P>
<H4><A name="UScontrib">US contributions to FreeS/WAN</A></H4>
<P>The FreeS/WAN project <STRONG>cannot accept software contributions, <EM>
 not even small bug fixes</EM>, from US citizens or residents</STRONG>. 
We  want it to be absolutely clear that our distribution is not subject 
to US  export law. Any contribution from an American might open that 
question to a  debate we'd prefer to avoid. It might also put the 
contributor at serious  legal risk.</P>
<P>Of course Americans can still make valuable contributions (many 
already  have) by reporting bugs, or otherwise contributing to 
discussions, on the  project <A href="mail.html">mailing list</A>. 
Since the list is public, this is  clearly constitutionally protected 
free speech.</P>
<P> Note, however, that the export laws restrict Americans from 
providing technical assistance to foreign &quot;munitions&quot; projects. The 
government might claim that private discussions or correspondence with 
FreeS/WAN developers were covered by this. It is not clear what the 
courts would do with such a claim, so we strongly encourage Americans 
to use the list rather than risk the complications.</P>
<H3><A name="wrong">What's wrong with restrictions on cryptography</A></H3>
<P>Some quotes from prominent cryptography experts:</P>
<BLOCKQUOTE> The real aim of current policy is to ensure the continued 
effectiveness of  US information warfare assets against individuals, 
businesses and  governments in Europe and elsewhere.
<BR><A href="http://www.cl.cam.ac.uk/users/rja14"> Ross Anderson, 
Cambridge  University</A></BLOCKQUOTE><BLOCKQUOTE> If the government 
were honest about its motives, then the debate about  crypto export 
policy would have ended years ago.
<BR><A href="http://www.counterpane.com"> Bruce Schneier, Counterpane 
 Systems</A></BLOCKQUOTE><BLOCKQUOTE> We should not be building 
surveillance technology into standards. Law  enforcement was not 
supposed to be easy. Where it is easy, it's called a  police state.
<BR> Jeff Schiller of MIT, in a discussion of FBI demands for wiretap 
 capability on the net, as quoted by <A href="http://www.wired.com/news/politics/0,1283,31895,00.html">
Wired</A>.</BLOCKQUOTE>
<P>The Internet Architecture Board (IAB) and the Internet Engineering 
 Steering Group (IESG) made a <A href="iab-iesg.stmt">strong statement</A>
 in  favour of worldwide access to strong cryptography. Essentially the 
same  statement is in the appropriately numbered <A href="ftp://ftp.isi.edu/in-notes/rfc1984.txt">
RFC 1984</A>. Two critical  paragraphs are:</P>
<BLOCKQUOTE> We believe that such policies are against the interests of 
consumers and  the business community, are largely irrelevant to issues 
of military  security, and provide only a marginal or illusory benefit 
to law  enforcement agencies, as discussed below. 
<P>The IAB and IESG would like to encourage policies that allow ready 
 access to uniform strong cryptographic technology for all Internet 
users  in all countries.</P>
</BLOCKQUOTE>
<P>Our goal in the FreeS/WAN project is to build just such &quot;strong 
 cryptographic technology&quot; and to distribute it &quot;for all Internet users 
in  all countries&quot;.</P>
<P>More recently, the same two bodies (IESG and IAB) have issued <A href="ftp://ftp.isi.edu/in-notes/rfc2804.txt">
RFC 2804</A> on why the IETF  should not build wiretapping capabilities 
into protocols for the convenience  of security or law enforcement 
agenicies.</P>
<P>Our goal is to go beyond that and prevent Internet wiretapping 
 entirely.</P>
<H3><A name="Wassenaar">The Wassenaar Arrangement</A></H3>
<P>Restrictions on the export of cryptography are not just US policy, 
though  some consider the US at least partly to blame for the policies 
of other  nations in this area.</P>
<P>A number of countries:</P>
<P>Argentina, Australia, Austria, Belgium, Bulgaria, Canada, Czech 
Republic,  Denmark, Finland, France, Germany, Greece, Hungary, Ireland, 
Italy, Japan,  Luxembourg, Netherlands, New Zealand, Norway, Poland, 
Portugal, Republic of  Korea, Romania, Russian Federation, Slovak 
Republic, Spain, Sweden,  Switzerland, Turkey, Ukraine, United Kingdom 
and United States</P>
<P>have signed the Wassenaar Arrangement which restricts export of 
munitions  and other tools of war. Cryptographic sofware is covered 
there.</P>
<P>Wassenaar details are available from the <A href="http://www.wassenaar.org/">
 Wassenaar Secretariat</A>, and elsewhere  in a more readable <A href="http://www.fitug.de/news/wa/index.html">
 HTML  version</A>.</P>
<P>For a critique see the <A href="http://www.gilc.org/crypto/wassenaar">
 GILC site</A>:</P>
<BLOCKQUOTE> The Global Internet Liberty Campaign (GILC) has begun a 
campaign calling  for the removal of cryptography controls from the 
Wassenaar Arrangement. 
<P>The aim of the Wassenaar Arrangement is to prevent the build up of 
 military capabilities that threaten regional and international 
security  and stability . . .</P>
<P>There is no sound basis within the Wassenaar Arrangement for the 
 continuation of any export controls on cryptographic products.</P>
</BLOCKQUOTE>
<P>We agree entirely.</P>
<P> An interesting analysis of Wassenaar can be found on the <A href="http://www.cyber-rights.org/crypto/wassenaar.htm">
 cyber-rights.org</A> site. </P>
<H3><A name="status">Export status of Linux FreeS/WAN</A></H3>
<P>We believe our software is entirely exempt from these controls since 
the  Wassenaar <A href="http://www.wassenaar.org/list/GTN%20and%20GSN%20-%2099.pdf">
General  Software Note</A> says:</P>
<BLOCKQUOTE> The Lists do not control &quot;software&quot; which is either: 
<OL>
<LI>Generally available to the public by . . . retail . . . or</LI>
<LI>&quot;In the public domain&quot;.</LI>
</OL>
</BLOCKQUOTE>
<P>There is a note restricting some of this, but it is a sub-heading 
under  point 1, so it appears not to apply to public domain software.</P>
<P>Their glossary defines &quot;In the public domain&quot; as:</P>
<BLOCKQUOTE> . . . &quot;technology&quot; or &quot;software&quot; which has been made 
available without  restrictions upon its further dissemination. 
<P>N.B. Copyright restrictions do not remove &quot;technology&quot; or &quot;software&quot; 
 from being &quot;in the public domain&quot;.</P>
</BLOCKQUOTE>
<P>We therefore believe that software freely distributed under the <A href="#GPL">
GNU Public License</A>, such as Linux FreeS/WAN, is exempt from 
 Wassenaar restrictions.</P>
<P>Most of the development work is being done in Canada. Our 
understanding  is that the Canadian government accepts this 
interpretation.</P>
<UL>
<LI>A web statement of <A href="http://www.dfait-maeci.gc.ca/~eicb/notices/ser113-e.htm">
 Canadian  policy</A> is available from the Department of Foreign 
Affairs and  International Trade.</LI>
<LI>Another document from that department states that <A href="http://www.dfait-maeci.gc.ca/~eicb/export/gr1_e.htm">
public domain  software</A> is exempt from the export controls.</LI>
<LI>A researcher's <A href="http://insight.mcmaster.ca/org/efc/pages/doc/crypto-export.html">
analysis</A> of Canadian policy is also available.</LI>
</UL>
<P>Recent copies of the freely modifiable and distributable source code 
 exist in many countries. Citizens all over the world participate in 
its use  and evolution, and guard its ongoing distribution. Even if 
Canadian policy  were to change, the software would continue to evolve 
in countries which do  not restrict exports, and would continue to be 
imported from there into  unfree countries. &quot;The Net culture treats 
censorship as damage, and routes  around it.&quot;</P>
<H3><A name="help">Help spread IPSEC around</A></H3>
<P> You can help. If you don't know of a Linux FreeS/WAN archive in 
your own country, please download it now to your personal machine, and 
consider making it publicly accessible if that doesn't violate your own 
laws. If you have the resources, consider going one step further and 
setting up a mirror site for the whole <A href="#munitions">munitions</A>
 Linux crypto software archive.</P>
<P>If you make Linux CD-ROMs, please consider including this code, in a 
way  that violates no laws (in a free country, or in a domestic-only CD 
 product).</P>
<P>Please send a note about any new archive mirror sites or CD 
distributions  to linux-ipsec@clinet.fi so we can update the 
documentation.</P>
<P>Lists of current <A href="#sites">mirror sites</A> and of <A href="#distwith">
distributions</A> which include FreeS/WAN are in our  introduction 
section.</P>
<H2><A name="desnotsecure">DES is Not Secure</A></H2>
<P>DES, the <STRONG>D</STRONG>ata <STRONG>E</STRONG>ncryption <STRONG> S</STRONG>
tandard, can no longer be considered secure. While no  major flaws in 
its innards are known, it is fundamentally inadequate because  its <STRONG>
56-bit key is too short</STRONG>. It is vulnerable to <A href="#brute">
brute-force search</A> of the whole key space, either by large 
 collections of general-purpose machines or even more quickly by 
specialized  hardware. Of course this also applies to <STRONG>any other 
cipher with only  a 56-bit key</STRONG>. The only reason anyone could 
have for using a 56 or  64-bit key is to comply with various <A href="exportlaw.html">
export  laws</A> intended to ensure the use of breakable ciphers.</P>
<P>Non-government cryptologists have been saying DES's 56-bit key was 
too  short for some time -- some of them were saying it in the 70's 
when DES  became a standard -- but the US government has consistently 
ridiculed such  suggestions.</P>
<P>A group of well-known cryptographers looked at key lengths in a <A href="http://www.counterpane.com/keylength.html">
 1996 paper</A>. They  suggested a <EM>minimum</EM> of 75 bits to 
consider an existing cipher  secure and a <EM>minimum of 90 bits for 
new ciphers</EM>. More recent  papers, covering both <A href="#symmetric">
symmetric</A> and <A href="#public">public key</A> systems are at <A href="http://www.cryptosavvy.com/">
cryptosavvy.com</A> and <A href="http://www.rsasecurity.com/rsalabs/bulletins/bulletin13.html">
rsa.com</A>.  For all algorithms, the minimum keylengths recommended in 
such papers are  significantly longer than the maximums allowed by 
various export laws.</P>
<P> In a <A href="http://www.thestandard.net/articles/display/0,1449,1780,00.html">
1998  ruling</A>, a German court described DES as &quot;out-of-date and not 
safe  enough&quot; and held a bank liable for using it.</P>
<H3><A name="deshware">Dedicated hardware breaks DES in a few days</A></H3>
<P>The question of DES security has now been settled once and for all. 
In  early 1998, the <A href="http://www.eff.org/">Electronic Frontier 
 Foundation</A> built a <A href="http://www.eff.org/descracker.html">
DES-cracking machine</A>. It can  find a DES key in an average of a few 
days' search. The details of all this,  including complete code 
 listings and complete plans for the machine, have been published in <A href="#EFF">
<CITE>Cracking DES</CITE></A>, by the Electronic Frontier  Foundation.</P>
<P> That machine cost just over $200,000 to design and build. &quot;Moore's 
Law&quot; is that machines get faster (or cheaper, for the same speed) by 
roughly a factor of two every 18 months. At that rate, their $200,000 
in 1998 becomes $50,000 in 2001. </P>
<P> However, Moore's Law is not exact and the $50,000 estimate does not 
allow for the fact that a copy based on the published EFF design would 
of course cost far less than the original. We cannot say exactly what 
such a cracker would cost today, but it would likely be somewhere 
between $10,000 and $100,000. </P>
<P> A large corporation could build one of these out of petty cash. The 
cost is low enough for a senior manager to hide it in a departmental 
budget and avoid having to announce or justify the project. Any 
government agency, from a major municipal police force up, could afford 
one. Or any other group with a respectable budget -- criminal 
organisations, political groups, labour unions, religious groups, ... 
Or any millionaire with an obsession or a grudge, or just strange taste 
in toys.</P>
<P>One might wonder if a private security or detective agency would 
have one  for rent. They wouldn't need many clients to pay off that 
investment.</P>
<H3><A name="spooks">Spooks may break DES faster yet</A></H3>
<P>As for the security and intelligence agencies of various nations, 
some of  them may have had DES crackers for years. Possibly very fast 
ones!  Cipher-cracking is one of the few known applications which is 
easy to speed  up by just adding more processors and memory. Within 
very broad limits, you  can make it as fast as you like if you have the 
budget. The EFF's $200,000  machine breaks DES in a few days. An <A href="http://www.planepage.com/">
aviation website</A> gives the cost of a B1  bomber as $200,000,000. 
Spending that much, an intelligence agency could  expect to break DES 
in an average time of <EM>six and a half  minutes</EM>.</P>
<P>That estimate assumes they use the EFF's 1998 technology and just 
spend  more money. They may have an attack that is superior to brute 
force, they  quite likely have better chip technology (Moore's law, a 
bigger budget, and  whatever secret advances they may have made) and of 
course they may have  spent the price of an aircraft carrier, not just 
one aircraft.</P>
<P>In short, we have <EM>no idea</EM> how quickly these organisations 
can  break DES. Unless they're grossly incompetent, they can certainly 
do it more  quickly than the users of the cipher would like, but beyond 
that we can't  say. Pick any time unit between days and milliseconds. 
None of these is  entirely unbelievable. More to the point, none of 
them is  of any comfort if  you don't want such organisations reading 
your communications.</P>
<P>Note that this may be a concern even if nothing you do is a threat 
to  anyone's national security. An intelligence agency might well 
consider it to  be in their national interest for certain companies to 
do well. If you're  competing against such companies in a world market 
and that agency can read  your secrets, you have a serious problem. For 
example, see this <A href="http://www.msnbc.com/news/403435.asp?cp1=1">
NBC story</A> or this <A href="http://cryptome.org/dp/Econ_Espionage.htm">
analysis</A>. The US are the villains in those pieces, but there is no 
reason to  imagine they are the only threat.</P>
<P>One might wonder about technology the former Soviet Union and its 
allies  developed for cracking DES during the Cold War. They must have 
tried; the  cipher was an American standard and widely used. How well 
did they succeed?  Is their technology now for sale or rent?</P>
<H3><A name="desnet">Networks break DES in a few weeks</A></H3>
<P>Before the definitive EFF effort, DES had been cracked several times 
by  people using many machines. See this <A href="http://www.distributed.net/pressroom/DESII-1-PR.html">
 press  release</A> for example.</P>
<P>A major corporation, university, or government department could 
break DES  by using spare cycles on their existing collection of 
computers, by  dedicating a group of otherwise surplus machines to the 
problem, or by  combining the two approaches. It might take them weeks 
or months, rather  than the days required for the EFF machine, but they 
could do it.</P>
<P>What about someone working alone, without the resources of a large 
 organisation? For them, cracking DES will not be easy, but it may be 
 possible. A few thousand dollars buys a lot of surplus workstations. A 
pile  of such machines will certainly heat your garage nicely and might 
break DES  in a few months or years. Or enroll at a university and use 
their machines.  Or use an employer's machines. Or crack security 
somewhere and steal the  resources to crack a DES key. Or write a virus 
that steals small amounts of  resources on many machines. Or . . .</P>
<P>None of these approaches are easy or break DES really quickly, but 
an  attacker only needs to find one that is feasible and breaks DES 
quickly  enough to be dangerous. How much would you care to bet that 
this will be  impossible if the attacker is clever and determined? How 
valuable is your  data? Are you authorised to risk it on a dubious bet?</P>
<H3><A name="no_des">We disable DES</A></H3>
<P>In short, it is now absolutely clear that <STRONG>DES is not  secure</STRONG>
 against</P>
<UL>
<LI>any <STRONG>well-funded opponent</STRONG></LI>
<LI>any opponent (even a penniless one) with access (even stolen 
access)  to <STRONG>enough general purpose computers</STRONG></LI>
</UL>
<P>That is why <STRONG>Linux FreeS/WAN disables all transforms which 
use  plain DES</STRONG> for encryption.</P>
<P>DES is in the source code, because we need DES to implement our 
default  encryption transform, <A href="#3DES">Triple DES</A>. <STRONG>
We urge you  not to use single DES</STRONG>. We do not provide any easy 
way to enable it  in FreeS/WAN, and our policy is to provide no 
assistance to anyone wanting  to do so.</P>
<H3><A name="40joke">40-bits is laughably weak</A></H3>
<P>The same is true, in spades, of ciphers -- DES or others -- crippled 
by  40-bit keys, as many ciphers were required to be until recently 
under  various <A href="#exlaw">export laws</A>. A brute force search 
of such a  cipher's keyspace is 2<SUP>16</SUP> times faster than a 
similar search  against DES. The EFF's machine can do a brute-force 
search of a 40-bit key  space in <EM>seconds</EM>. One contest to crack 
a 40-bit cipher was won by a  student <A href="http://catless.ncl.ac.uk/Risks/18.80.html#subj1">
 using a  few hundred idle machines at his university</A>. It took only 
three and half  hours.</P>
<P>We do not, and will not, implement any 40-bit cipher.</P>
<H3><A name="altdes">Triple DES is almost certainly secure</A></H3>
<P><A href="#3DES">Triple DES</A>, usually abbreviated 3DES, applies 
DES  three times, with three different keys. DES seems to be basically 
an  excellent cipher design; it has withstood several decades of 
intensive  analysis without any disastrous flaws being found. It's only 
major flaw is  that the small keyspace allows brute force attacks to 
succeeed. Triple DES  enlarges the key space to 168 bits, making 
brute-force search a ridiculous  impossibility.</P>
<P>3DES is currently the only block cipher implemented in FreeS/WAN. 
3DES  is, unfortunately, about 1/3 the speed of DES, but modern CPUs 
still do it  at quite respectable speeds. Some <A href="#benchmarks">
speed  measurements</A> for our code are available.</P>
<H3><A name="aes.ipsec">AES in IPSEC</A></H3>
<P> The <A href="#AES">AES</A> project has recently chosen a 
replacement for DES, a new standard cipher for use in non-classified US 
government work and in regulated industries such as banking. This 
cipher will almost certainly become widely used for many applications, 
including IPSEC, but perhaps not quickly.</P>
<P> The winner, announced in October 2000 after several years of 
analysis and discussion, was the <A href="http://www.esat.kuleuven.ac.be/~rijmen/rijndael/">
Rijndael</A> cipher from two Belgian designers. </P>
<P> It is likely that many IPSEC implementations will add Rijndael 
support over the next few months or years. FreeS/WAN will almost 
 certainly do so, but it is not high on the priority list. This might 
be an  excellent project for a volunteer.</P>
<H2><A name="press">Press coverage of Linux FreeS/WAN:</A></H2>
<H3><A NAME="11_6_1">FreeS/WAN 1.0 press</A></H3>
<UL>
<LI><A href="http://www.wired.com/news/news/technology/story/19136.html">
Wired</A> &quot;Linux-Based Crypto Stops Snoops&quot;, James Glave April 15 1999</LI>
<LI><A href="http://slashdot.org/articles/99/04/15/1851212.shtml">
Slashdot</A></LI>
<LI><A href="http://dgl.com/itinfo/1999/it990415.html">DGL</A>, Damar 
Group  Limited; looking at FreeS/WAN from a perspective of business 
 computing</LI>
<LI><A href="http://linuxtoday.com/stories/5010.html">Linux Today</A></LI>
<LI><A href="http://www.tbtf.com/archive/1999-04-21.html#Tcep">TBTF</A>
,  Tasty Bits from the Technology Front</LI>
<LI><A href="http://www.salonmagazine.com/tech/log/1999/04/16/encryption/index.html">
Salon  Magazine</A> &quot;Free Encryption Takes a Big Step&quot;</LI>
</UL>
<H3><A name="release">Press release for version 1.0</A></H3>
<PRE>
        Strong Internet Privacy Software Free for Linux Users Worldwide

Toronto, ON, April 14, 1999 - 

The Linux FreeS/WAN project today released free software to protect
the privacy of Internet communications using strong encryption codes.
FreeS/WAN automatically encrypts data as it crosses the Internet, to
prevent unauthorized people from receiving or modifying it.  One
ordinary PC per site runs this free software under Linux to become a
secure gateway in a Virtual Private Network, without having to modify
users' operating systems or application software.  The project built
and released the software outside the United States, avoiding US
government regulations which prohibit good privacy protection.
FreeS/WAN version 1.0 is available immediately for downloading at
http://www.xs4all.nl/~freeswan/.

&quot;Today's FreeS/WAN release allows network administrators to build
excellent secure gateways out of old PCs at no cost, or using a cheap
new PC,&quot; said John Gilmore, the entrepreneur who instigated the
project in 1996.  &quot;They can build operational experience with strong
network encryption and protect their users' most important
communications worldwide.&quot;

&quot;The software was written outside the United States, and we do not
accept contributions from US citizens or residents, so that it can be
freely published for use in every country,&quot; said Henry Spencer, who
built the release in Toronto, Canada.  &quot;Similar products based in the
US require hard-to-get government export licenses before they can be
provided to non-US users, and can never be simply published on a Web
site.  Our product is freely available worldwide for immediate
downloading, at no cost.&quot;

FreeS/WAN provides privacy against both quiet eavesdropping (such as
&quot;packet sniffing&quot;) and active attempts to compromise communications
(such as impersonating participating computers).  Secure &quot;tunnels&quot; carry
information safely across the Internet between locations such as a
company's main office, distant sales offices, and roaming laptops.  This
protects the privacy and integrity of all information sent among those
locations, including sensitive intra-company email, financial transactions
such as mergers and acquisitions, business negotiations, personal medical
records, privileged correspondence with lawyers, and information about
crimes or civil rights violations.  The software will be particularly
useful to frequent wiretapping targets such as private companies competing
with government-owned companies, civil rights groups and lawyers,
opposition political parties, and dissidents. 

FreeS/WAN provides privacy for Internet packets using the proposed
standard Internet Protocol Security (IPSEC) protocols.  FreeS/WAN
negotiates strong keys using Diffie-Hellman key agreement with 1024-bit
keys, and encrypts each packet with 168-bit Triple-DES (3DES).  A modern
$500 PC can set up a tunnel in less than a second, and can encrypt
6 megabits of packets per second, easily handling the whole available
bandwidth at the vast majority of Internet sites.  In preliminary testing,
FreeS/WAN interoperated with 3DES IPSEC products from OpenBSD, PGP, SSH,
Cisco, Raptor, and Xedia.  Since FreeS/WAN is distributed as source code,
its innards are open to review by outside experts and sophisticated users,
reducing the chance of undetected bugs or hidden security compromises.

The software has been in development for several years.  It has been
funded by several philanthropists interested in increased privacy on
the Internet, including John Gilmore, co-founder of the Electronic
Frontier Foundation, a leading online civil rights group.

Press contacts:
Hugh Daniel,   +1 408 353 8124, hugh@toad.com
Henry Spencer, +1 416 690 6561, henry@spsystems.net

* FreeS/WAN derives its name from S/WAN, which is a trademark of RSA Data
  Security, Inc; used by permission.
</PRE>
<HR>
<H1><A name="ipsec.detail">The IPSEC protocols</A></H1>
<P>This section provides details of the IPSEC protocols which FreeS/WAN 
 implements</P>
<P>The basic idea of IPSEC is to provide security functions, <A href="#authentication">
authentication</A> and <A href="#encryption">encryption</A>, at the IP 
(Internet Protocol) level. This  requires a higher-level protocol (IKE) 
to set things up for the IP-level  services (ESP and AH).</P>
<P>Three protocols are used in an IPSEC implementation:</P>
<DL>
<DT>ESP, Encapsulating Security Payload</DT>
<DD>Encrypts and/or authenticates data</DD>
<DT>AH, Authentication Header</DT>
<DD>Provides a packet authentication service</DD>
<DT>IKE, Internet Key Exchange</DT>
<DD>Negotiates connection parameters, including keys, for the other  two</DD>
</DL>
<P> The term &quot;IPSEC&quot; is slightly ambiguous. In some contexts, it 
includes all  three of the above but in other contexts it refers only 
to AH and ESP. </P>
<H2><A name="others">Applying IPSEC</A></H2>
<P>Authentication and encryption functions for network data can, of 
course,  be provided at other levels. Many security protocols work at 
levels above  IP.</P>
<UL>
<LI><A href="#PGP">PGP</A> encrypts and authenticates mail messages</LI>
<LI><A href="#SSH">SSH</A> authenticates remote logins and then 
encrypts  the session</LI>
<LI><A href="#SSL">SSL</A> or <A href="#TLS">TLS</A> provides security 
at  the sockets layer, e.g. for secure web browsing</LI>
</UL>
<P> and so on. Other techniques work at levels below IP. For example, 
data on a  communications circuit or an entire network can be encrypted 
by specialised  hardware. This is common practice in high-security 
applications. </P>
<H3><A name="advantages">Advantages of IPSEC</A></H3>
<P>There are, however, advantages to doing it at the IP level instead 
of, or  as well as, at other levels.</P>
<P>IPSEC is the <STRONG>most general way to provide these services for 
the  Internet</STRONG>.</P>
<UL>
<LI>Higher-level services protect a <EM>single protocol</EM>; for 
example  PGP protects mail.</LI>
<LI>Lower level services protect a <EM>single medium</EM>; for example 
a  pair of encryption boxes on the ends of a line make wiretaps on that 
 line useless unless the attacker is capable of breaking the 
 encryption.</LI>
</UL>
<P> IPSEC, however, can protect <EM>any protocol</EM> running above IP 
and <EM> any medium</EM> which IP runs over. More to the point, it can 
protect a  mixture of application protocols running over a complex 
combination of  media. This is the normal situation for Internet 
communication; IPSEC is the  only general solution. </P>
<P>IPSEC can also provide some security services &quot;in the background&quot;, 
with <STRONG> no visible impact on users</STRONG>. To use <A href="#PGP">
PGP</A> encryption and signatures on mail, for example, the user must 
at least:</P>
<UL>
<LI>remember his or her passphrase,</LI>
<LI>keep it secure</LI>
<LI>follow procedures to validate correspondents' keys</LI>
</UL>
<P> These systems can be designed so that the burden on users is not 
 onerous, but any system will place some requirements on users. No such 
 system can hope to be secure if users are sloppy about meeting those 
 requirements. The author has seen username and password stuck on 
terminals  with post-it notes in an allegedly secure environment, for 
example. </P>
<H3><A name="limitations">Limitations of IPSEC</A></H3>
<P>IPSEC is designed to secure IP links between machines. It does that 
well,  but it is important to remember that there are many things it 
does not do.  Some of the important limitations are:</P>
<DL>
<DT><A name="depends">IPSEC cannot be secure if your system isn't</A></DT>
<DD>System security on IPSEC gateway machines is an essential 
 requirement if IPSEC is to function as designed. No system can be 
 trusted if the underlying machine has been subverted. See books on 
 Unix security such as <A href="#practical">Garfinkel and Spafford</A>
 or our web references for <A href="#linsec">Linux security</A> or more 
 general <A href="#compsec">computer security</A>. </DD>
<P>Of course, there is another side to this. IPSEC can be a powerful 
 tool for improving system and network security. For example, requiring 
 packet authentication makes various spoofing attacks harder and IPSEC 
 tunnels can be extremely useful for secure remote administration of 
 various things.</P>
<DT><A name="not-end-to-end">IPSEC is not end-to-end</A></DT>
<DD>IPSEC cannot provide the same end-to-end security as systems 
working  at higher levels. IPSEC encrypts an IP connection between two 
 machines, which is quite a different thing than encrypting messages 
 between users or between applications. </DD>
<P>For example, if you need mail encrypted from the sender's desktop 
 to the recipient's desktop and decryptable only by the recipient, use <A
href="#PGP"> PGP</A> or another such system. IPSEC can encrypt any  or 
all of the links involved -- between the two mail servers, or  between 
either server and its clients. It could even be used to secure  a 
direct IP link from the sender's desktop machine to the recipient's, 
 cutting out any sort of network snoop. What it cannot ensure is 
 end-to-end user-to-user security. If only IPSEC is used to secure 
 mail, then anyone with appropriate privileges on any machine where 
 that mail is stored (at either end or on any store-and-forward servers 
 in the path) can read it.</P>
<P>In another common setup, IPSEC encrypts packets at a security 
 gateway machine as they leave the sender's site and decrypts them on 
 arrival at the gateway to the recipient's site. This does not even 
 come close to providing an end-to-end service. In particular, anyone 
 with appropriate privileges on either site's LAN can intercept the 
 message in unencrypted form.</P>
<DT><A name="notpanacea">IPSEC cannot do everything</A></DT>
<DD>IPSEC also cannot provide all the functions of systems working at 
 higher levels of the protocol stack. If you need a document 
 electronically signed by a particular person, then you need his or her <A
href="#signature"> digital signature</A> and a <A href="#public">public 
key cryptosystem</A> to verify it with. </DD>
<P>Note, however, that IPSEC authentication of the underlying 
 communication can make various attacks on higher-level protocols more 
 difficult. In particular, authentication prevents <A href="#middle">
man-in-the-middle attacks</A>.</P>
<DT><A name="no_user">IPSEC authenticates machines, not users</A></DT>
<DD>IPSEC uses strong authentication mechanisms to control which 
 messages go to which machines, but it does not have the concept of 
 user ID, which is vital to many other security mechansims and 
 policies. This means some care must be taken in fitting the various 
 security mechansims on a network together. For example, if you need to 
 control which users access your database server, you need some 
 non-IPSEC mechansim for that. IPSEC can control which machines connect 
 to the server, and can ensure that data transfer to those machines is 
 done securely, but that is all. Either the machines themselves must 
 control user access or there must be some form of user authentication 
 to the database, independent of IPSEC.</DD>
<DT><A name="DoS">IPSEC does not stop denial of service attacks</A></DT>
<DD><A href="#DoS">Denial of service</A> attacks aim at causing a 
system  to crash, overload, or become confused so that legitimate users 
cannot  get whatever services the system is supposed to provide. These 
are  quite different from attacks in which the attacker seeks either to 
use  the service himself or to subvert the service into delivering 
 incorrect results. </DD>
<P>IPSEC shifts the ground for DoS attacks; the attacks possible 
 against systems using IPSEC are different than those that might be 
 used against other systems. It does not, however, eliminate the 
 possibility of such attacks.</P>
<DT><A name="traffic">IPSEC does not stop traffic analysis</A></DT>
<DD><A href="#traffic">Traffic analysis</A> is the attempt to derive 
 intelligence from messages without regard for their contents. In the 
 case of IPSEC, it would mean analysis based on things visible in the 
 unencrypted headers of encrypted packets -- source and destination 
 gateway addresses, packet size, et cetera. Given the resources to 
 acquire such data and some skill in analysing it (both of which any 
 national intelligence agency should have), this can be a very powerful 
 technique. </DD>
<P>IPSEC is not designed to defend against this. Partial defenses are 
 certainly possible, and some are <A href="#traffic.resist">described 
below</A>,  but it is not clear that any complete defense can be 
provided.</P>
</DL>
<H3><A name="uses">IPSEC is a general mechanism for securing IP</A></H3>
<P>While IPSEC does not provide all functions of a mail encryption 
package,  it can encrypt your mail. In particular, it can ensure that 
all mail passing  between a pair or a group of sites is encrypted. An 
attacker looking only at  external traffic, without access to anything 
on or behind the IPSEC gateway,  cannot read your mail. He or she is 
stymied by IPSEC just as he or she would  be by <A href="#PGP">PGP</A>.</P>
<P>The advantage is that IPSEC can provide the same protection for <STRONG>
 anything transmitted over IP</STRONG>. In a corporate network example, 
PGP  lets the branch offices exchange secure mail with head office. SSL 
and SSH  allow them to securely view web pages, connect as terminals to 
machines, and  so on. IPSEC can support all those applications, plus 
database queries, file  sharing (NFS or Windows), other protocols 
encapsulated in IP (Netware,  Appletalk, ...), phone-over-IP, 
video-over-IP, ... anything-over-IP. The  only limitation is that IP 
Multicast is not yet supported, though there are  Internet Draft 
documents for that.</P>
<P>IPSEC creates <STRONG>secure tunnels through untrusted networks</STRONG>
.  Sites connected by these tunnels form VPNs, <A href="#vpn">Virtual 
Private  Networks</A>.</P>
<P>IPSEC gateways can be installed wherever they are required.</P>
<UL>
<LI>One organisation might choose to install IPSEC only on firewalls 
 between their LANs and the Internet. This would allow them to create a 
 VPN linking several offices. It would provide protection against 
anyone  outside their sites.</LI>
<LI>Another might install IPSEC on departmental servers so everything 
on  the corporate backbone net was encrypted. This would protect 
messages on  that net from everyone except the sending and receiving 
department.</LI>
<LI>Another might be less concerned with information secrecy and more 
with  controlling access to certain resources. They might use IPSEC 
packet  authentication as part of an access control mechanism, with or 
without  also using the IPSEC encryption service.</LI>
<LI>It is even possible (assuming adequate processing power and an 
IPSEC  implementation in each node) to make every machine its own IPSEC 
gateway  so that everything on a LAN is encrypted. This protects 
information from  everyone outside the sending and receiving machine.</LI>
<LI>These techniques can be combined in various ways. One might, for 
 example, require authentication everywhere on a network while using 
 encryption only for a few links.</LI>
</UL>
<P> Which of these, or of the many other possible variants, to use is 
up to you. <STRONG> IPSEC provides mechanisms; you provide the policy</STRONG>
. </P>
<P><STRONG>No end user action is required</STRONG> for IPSEC security 
to be  used; they don't even have to know about it. The site 
administrators, of  course, do have to know about it and to put some 
effort into making it work.  Poor administration can compromise IPSEC 
as badly as the post-it notes  mentioned above. It seems reasonable, 
though, for organisations to hope  their system administrators are 
generally both more security-conscious than  end users and more able to 
follow computer security procedures. If not, at  least there are fewer 
of them to educate or replace.</P>
<P>IPSEC can be, and often should be, used with along with security 
 protocols at other levels. If two sites communicate with each other 
via the  Internet, then IPSEC is the obvious way to protect that 
communication. If  two others have a direct link between them, either 
link encryption or IPSEC  would make sense. Choose one or use both. 
Whatever you use at and below the  IP level, use other things as 
required above that level. Whatever you use  above the IP level, 
consider what can be done with IPSEC to make attacks on  the higher 
levels harder. For example, <A href="#middle">man-in-the-middle  attacks</A>
 on various protocols become difficult if authentication at  packet 
level is in use on the potential victims' communication channel.</P>
<H3><A name="authonly">Using authentication without encryption</A></H3>
<P> Where appropriate, IPSEC can provide authentication without 
encryption.  One might do this, for example:</P>
<UL>
<LI>where the data is public but one wants to be sure of getting the 
right  data, for example on some web sites</LI>
<LI>where encryption is judged unnecessary, for example on some company 
or  department LANs</LI>
<LI>where strong encryption is provided at link level, below IP</LI>
<LI>where strong encryption is provided in other protocols, above IP
<BR> Note that IPSEC authentication may make some attacks on those 
protocols  harder.</LI>
</UL>
<P> Authentication has lower overheads than encryption. </P>
<P> The protocols provide four ways to build such connections, using 
either an AH-only connection or ESP using null encryption, and in 
either manually or automatically keyed mode. FreeS/WAN supports only 
one of these, manually keyed AH-only connections, and <STRONG>we do not 
recommend using that</STRONG>. Our reasons are discussed under <A href="#traffic.resist">
Resisting traffic analysis</A> a few sections further along. </P>
<H3><A name="encnoauth">Encryption without authentication is dangerous</A>
</H3>
<P>Originally, the IPSEC encryption protocol <A href="#ESP">ESP</A>
 didn't  do integrity checking. It only did encryption. Steve Bellovin 
found many  ways to attack ESP used without authentication. See his 
paper <A href="http://www.research.att.com/~smb/papers/badesp.ps">
Problem areas for  the IP Security Protocols</A>. To make a secure 
connection, you had to add  an <A href="#AH">AH</A> Authentication 
Header as well as ESP.  Rather than  incur the overhead of several 
layers (and rather than provide an ESP layer  that didn't actually 
protect the traffic), the IPSEC working group built  integrity and 
replay checking directly into ESP.</P>
<P>Today, typical usage is one of:</P>
<UL>
<LI>ESP for encryption and authentication</LI>
<LI>AH for authentication alone</LI>
</UL>
<P> Other variants are allowed by the standard, but not much used:</P>
<DL>
<DT>ESP encryption without authentication</DT>
<DD><STRONG>Bellovin has demonstrated fatal flaws in this. Do not  use.</STRONG>
</DD>
<DT>ESP encryption with AH authentication</DT>
<DD>This has higher overheads than using the authentication in ESP, and 
 no obvious benefit in most cases. The exception might be a network 
 where AH authentication was widely or universally used. If you're 
 going to do AH to conform with network policy, why authenticate again 
 in the ESP layer?</DD>
<DT>Authenticate twice, with AH and with ESP</DT>
<DD>Why? Of course, some folk consider &quot;belt and suspenders&quot; the 
 sensible approach to security. If you're among them, you might use 
 both protocols here. You might also use both to satisfy different 
 parts of a security policy. For example, an organisation might require 
 AH authentication everywhere but two users within the organisation 
 might use ESP as well.</DD>
<DT>ESP authentication without encryption</DT>
<DD>The standard allows this, calling it &quot;null encryption&quot;. FreeS/WAN 
 does not support it. We recommend that you use AH instead if 
 authentication is all you require. AH authenticates parts of the IP 
 header, which ESP-null does not do.</DD>
</DL>
 Some of these variants cannot be used with FreeS/WAN because we do not 
support ESP-null and do not support automatic keying of AH-only 
connections. 
<P> There are fairly frequent suggestions that AH be dropped entirely 
from  the IPSEC specifications since ESP and null encryption can handle 
that  situation. It is not clear whether this will occur. My guess is 
that it is  unlikely.</P>
<H3><A name="multilayer">Multiple layers of IPSEC processing are 
possible</A></H3>
<P>The above describes combinations possible on a single IPSEC 
connection.  In a complex network you may have several layers of IPSEC 
in play, with any  of the above combinations at each layer.</P>
<P>For example, a connection from a desktop machine to a database 
server  might require AH authentication. Working with other host, 
network and  database security measures, AH might be just the thing for 
access control.  You might decide not to use ESP encryption on such 
packets, since it uses  resources and might complicate network 
debugging. Within the site where the  server is, then, only AH would be 
used on those packets.</P>
<P>Users at another office, however, might have their whole connection 
(AH  headers and all) passing over an IPSEC tunnel connecting their 
office to the  one with the database server. Such a tunnel should use 
ESP encryption and  authentication. You need authentication in this 
layer because without  authentication the encryption is vulnerable and 
the gateway cannot verify  the AH authentication. The AH is between 
client and database server; the  gateways aren't party to it.</P>
<P>In this situation, some packets would get multiple layers of IPSEC 
 applied to them, AH on an end-to-end client-to-server basis and ESP 
from one  office's security gateway to the other.</P>
<H3><A name="traffic.resist">Resisting traffic analysis</A></H3>
<P><A href="#traffic"> Traffic analysis</A> is the attempt to derive 
useful intelligence from encrypted traffic without breaking the 
encryption. </P>
<P> Is your CEO exchanging email with a venture capital firm? With 
bankruptcy trustees? With an executive recruiting agency? With the 
holder of some important patents? If an eavesdropper learns that, he 
has interesting intelligence on your company, whether or not he can 
read the messages themselves. </P>
<P> Except in the simplest cases, traffic analysis is hard to do well. 
It requires both considerable resources and considerable analytic 
skill. However, intelligence agencies of various nations have been 
doing it for centuries and many of them are likely quite good at it by 
now. Various commercial organisations, especially those working on 
&quot;targeted marketing&quot; may also be quite good at analysing certain types 
of traffic. </P>
<P> In general, defending against traffic analysis is also difficult. 
Inventing a really good defense could get you a PhD and some 
interesting job offers. </P>
<P> IPSEC is not designed to stop traffic analysis and we know of no 
plausible method of extending it to do so. That said, there are ways to 
make traffic analysis harder. This section describes them. </P>
<H4><A name="extra">Using &quot;unnecessary&quot; encryption</A></H4>
<P> One might choose to use encryption even where it appears 
unnecessary in order to make analysis more difficult. Consider two 
offices which pass a small volume of business data between them using 
IPSEC and also transfer large volumes of Usenet news. At first glance, 
it would seem silly to encrypt the newsfeed, except possibly for any 
newsgroups that are internal to the company. Why encrypt data that is 
all publicly available from many sites?</P>
<P> However, if we encrypt a lot of news and send it down the same 
connection as our business data, we make <A href="#traffic">traffic 
analysis</A> much harder. A snoop cannot now make inferences based on 
patterns in the volume, direction, sizes, sender, destination, or 
timing of our business messages. Those messages are hidden in a mass of 
news messages encapsulated in the same way.</P>
<P> If we're going to do this we need to ensure that keys change often 
enough to remain secure even with high volumes and with the adversary 
able to get plaintext of much of the data. We also need to look at 
other attacks this might open up. For example, can the adversary use a 
chosen plaintext attack, deliberately posting news articles which, when 
we receive and encrypt them, will help break our encryption? Or can he 
block our business data transmission by flooding us with silly news 
articles? Or ...</P>
<P> Also, note that this does not provide complete protection against 
traffic analysis. A clever adversary might still deduce useful 
intelligence from statistical analysis (perhaps comparing the input 
newsfeed to encrypted output, or comparing the streams we send to 
different branch offices), or by looking for small packets which might 
indicate establishment of TCP connections, or ...</P>
<P> As a general rule, though, one can improve resistance to traffic 
analysis by encrypting <EM>as much traffic as possible</EM> rather than 
only as much as seems necessary.</P>
<P> This also applies to using multiple layers of encryption. If you 
have an IPSEC tunnel between two branch offices, it might appear silly 
to send  PGP-encrypted email through that tunnel. However, if you 
suspect someone is snooping your traffic, then it does make sense: </P>
<UL>
<LI>it protects the mail headers; they cannot even see who is mailing 
who </LI>
<LI>it protects against user bungles or software malfunctions that 
accidentally send messages in the clear </LI>
<LI>it makes any attack on the mail encryption much harder; first they 
have to find the mail </LI>
</UL>
 Similar arguments apply for SSL-encrypted web traffic or SSH-encrypted 
remote login sessions, even for end-to-end IPSEC tunnels between 
systems in the two offices. 
<H4><A name="fewer">Using fewer tunnels</A></H4>
<P> It may also help to use fewer tunnels. For example, if all you 
actually need encrypted is connections between: </P>
<UL>
<LI>mail servers at branch and head offices </LI>
<LI>a few branch office users and the head office database server </LI>
</UL>
<P> You might build one tunnel per mail server and one per remote 
database user, restricting traffic to those applications. This gives 
the traffic analyst some information, however. He or she can 
distinguish the tunnels by looking at information in the ESP header 
and, given that distinction and the patterns of tunnel usage, might be 
able to figure out something useful. Perhaps not, but why take the 
risk? </P>
<P> We suggest instead that you build one tunnel per branch office, 
encrypting everything passing from head office to branches. This has a 
number of advantages: </P>
<UL>
<LI>it is easier to build and administer </LI>
<LI>it resists traffic analysis somewhat better </LI>
<LI>it provides security for whatever you forgot. For example, if some 
user at a remote office browses proprietary company data on some head 
office web page (that the security people may not even know about!), 
then that data is encrypted before it reaches the Internet. </LI>
</UL>
<P> Of course you might also want to add additional tunnels. For 
example, if some of the database data is confidential and should not be 
exposed even within the company, then you need protection from the 
user's desktop to the database server. We suggest you do that in 
whatever way seems appropriate -- IPSEC, SSH or SSL might fit -- but, 
whatever you choose, pass it between locations via a gateway-to-gateway 
IPSEC tunnel to provide some resistance to traffic analysis. </P>
<H2><A name="primitives">Cryptographic components</A></H2>
<P> IPSEC combines a number of cryptographic techniques, all of them 
well-known and well-analyzed. The overall design approach was 
conservative; no new or poorly-understood components were included.</P>
<P>This section gives a brief overview of each technique. It is 
intended only as an introduction. There is more information, and links 
to related topics, in our <A href="glossary.html">glossary</A>. See 
also our <A href="biblio.html">bibliography</A> and cryptography <A href="#crypto.link">
web links</A>.</P>
<H3><A name="block.cipher">Block ciphers</A></H3>
<P> The <A href="#encryption">encryption</A> in the <A href="#ESP">ESP</A>
 encapsulation protocol is done with a <A href="#block">block cipher</A>
.</P>
<P> We do not implement <A href="#DES">single DES</A>. It is <A href="#desnotsecure">
insecure</A>. Our default, and currently only, block cipher is <A href="#3DES">
 triple DES</A>.</P>
<P> The Rijndael block cipher has just won the <A href="#AES">AES</A>
 competition to choose a relacement for DES. It will almost certainly 
be added to FreeS/WAN and to other IPSEC implementations.</P>
<H3><A name="hash.ipsec">Hash functions</A></H3>
<H4><A name="hmac.ipsec">The HMAC construct</A></H4>
<P> IPSEC packet authentication is done with the HMAC construct. This 
is not just  a hash of the packet data, but a more complex operation 
which uses both a hashing algorithm (MD5 or SHA) and a key. It 
therefore does more than a simple hash would. A simple hash would only 
tell you that the packet data was not changed in transit, or that 
whoever changed it also regenerated the hash. An HMAC also tells you 
that the sender knew the HMAC key.</P>
<P> For IPSEC HMAC, the output of the hash algorithm is truncated to 96 
bits. This saves some space in the packets. More important, it prevents 
an attacker from seeing all the hash output bits and perhaps creating 
some sort of attack based on that knowledge.</P>
<H3><A name="DH.keying">Diffie-Hellman key agreement</A></H3>
<P> The <A href="#DH">Diffie-Hellman</A> key agreement protocol allows 
two parties (A and B or <A href="#alicebob">Alice and Bob</A>) to agree 
on a key in such a way that an eavesdropper who intercepts the entire 
conversation cannot learn the key.</P>
<P> The protocol is based on the <A href="#dlog">discrete logarithm</A>
 problem and is therefore thought to be secure. Mathematicians have 
been working on that problem for years and seem no closer to a 
solution, though there is no proof that an efficient solution is 
impossible.</P>
<H3><A name="RSA.auth">RSA authentication</A></H3>
<P> The <A href="#RSA">RSA</A> algorithm (named for its inventors -- 
Rivest, Shamir and Adleman) is a very widely used <A href="#">public key</A>
 cryptographic technique. It is used in IPSEC as one method of 
authenticating gateways for Diffie-Hellman key negotiation.</P>
<H2><A name="structure">Structure of IPSEC</A></H2>
<P>There are three protocols used in an IPSEC implementation:</P>
<DL>
<DT>ESP, Encapsulating Security Payload</DT>
<DD>Encrypts and/or authenticates data</DD>
<DT>AH, Authentication Header</DT>
<DD>Provides a packet authentication service</DD>
<DT>IKE, Internet Key Exchange</DT>
<DD>Negotiates connection parameters, including keys, for the other  two</DD>
</DL>
<P> The term &quot;IPSEC&quot; is slightly ambiguous. In some contexts, it 
includes all three of the above but in other contexts it refers only to 
AH and ESP.</P>
<H3><A name="IKE.ipsec">IKE (Internet Key Exchange)</A></H3>
<P>The IKE protocol sets up IPSEC (ESP or AH) connections after 
negotiating  appropriate parameters (algorithms to be used, keys, 
connection lifetimes)  for them. This is done by exchanging packets on 
UDP port 500 between the two  gateways.</P>
<P>IKE (RFC 2409) was the outcome of a long, complex process in which 
quite  a number of protocols were proposed and debated. Oversimplifying 
mildly, IKE  combines:</P>
<DL>
<DT>ISAKMP (RFC 2408)</DT>
<DD>The <STRONG>I</STRONG>nternet <STRONG>S</STRONG>ecurity <STRONG> A</STRONG>
ssociation and <STRONG>K</STRONG>ey <STRONG> M</STRONG>anagement <STRONG>
P</STRONG>rotocol manages  negotiation of connections and defines <A href="#SA">
SA</A>s (Security  Associations) as a means of describing connection 
properties.</DD>
<DT>IPSEC DOI for ISAKMP (RFC 2407)</DT>
<DD>A <STRONG>D</STRONG>omain <STRONG>O</STRONG>f <STRONG> I</STRONG>
nterpretation fills in the details necessary to turn  the rather 
abstract ISAKMP protocol into a more tightly specified protocol,  so it 
becomes applicable in a particular domain.</DD>
<DT>Oakley key determination protocol (RFC 2412)</DT>
<DD>Oakley creates keys using the <A href="#DH">Diffie-Hellman</A> key 
 agreement protocol.</DD>
</DL>
<P> For all the details, you would need to read the four <A href="rfc.html">
RFCs</A> just mentioned (over 200 pages) and a number of others.  We 
give a summary below, but it is far from complete.</P>
<H4><A name="phases">Phases of IKE</A></H4>
<P>IKE negotiations have two phases.</P>
<DL>
<DT>Phase one</DT>
<DD>The two gateways negotiate and set up a two-way ISAKMP SA which 
they  can then use to handle phase two negotiations. One such SA 
between a  pair of gateways can handle negotiations for multiple 
tunnels.</DD>
<DT>Phase two</DT>
<DD>Using the ISAKMP SA, the gateways negotiate IPSEC (ESP and/or AH) 
 SAs as required. IPSEC SAs are unidirectional (a different key is used 
 in each direction) and are always negotiated in pairs to handle 
 two-way traffic. There may be more than one pair defined between two 
 gateways.</DD>
</DL>
 Both of these phases use the UDP protocol and port 500 for their 
 negotiations. 
<P> After both IKE phases are complete, you have IPSEC SAs to carry 
your encrypted data. These use the ESP or AH protocols. These 
 protocols do not have ports; ports apply only to UDP or TCP. </P>
<P> The IKE protocol is designed to be extremely flexible. Among the 
things that can be negotiated (separately for each SA) are:</P>
<UL>
<LI>SA lifetime before rekeying</LI>
<LI>encryption algorithm used. We currently support only <A href="#3DES">
 triple DES</A>. Single DES is <A href="#desnotsecure"> insecure</A>. 
The RFCs say you MUST do DES, SHOULD  do 3DES and MAY do various 
others. We do not do any of the others.</LI>
<LI>authentication algorithms. We support <A href="#MD5">MD5</A> and <A href="#SHA">
SHA</A>. These are the two the RFCs require.</LI>
<LI>choice of group for <A href="#DH">Diffie-Hellman</A> key agreement. 
We  currently support Groups 2 and 5 (which are defined modulo primes 
of  various lengths) and do not support Group 1 (defined modulo a 
shorter prime,  and therefore cryptographically weak)  or groups 3 and 
4 (defined using  elliptic curves). The RFCs require only Group 1.</LI>
</UL>
<P> The protocol also allows implementations to add their own 
encryption algorithms, authentication algorithms or Diffie-Hellman 
groups. We do not support any such extensions.</P>
<P>There are a number of complications:</P>
<UL>
<LI>The gateways must be able to authenticate each other's identities 
 before they can create a secure connection. This host authentication 
is  part of phase one negotiations, and is a required prerequisite for 
 packet authentication used later. Host authentication can be  done in 
a variety of ways. Those supported by FreeS/WAN are discussed in  our <A href="#choose">
configuration</A> document.</LI>
<LI>Phase one can be done in two ways. 
<UL>
<LI>Main Mode is required by the RFCs and supported in FreeS/WAN.</LI>
<LI>Aggressive Mode is somewhat faster but reveals more to an 
 eavesdropper. This is optional in the RFCs, not currently supported 
 by FreeS/WAN, and not likely to be.</LI>
</UL>
</LI>
<LI>Phase two always uses Quick Mode, but there are two variants of 
that: 
<UL>
<LI>One variant provides <A href="#PFS">Perfect Forward Secrecy  (PFS)</A>
. An attacker that obtains your long-term host  authentication key does 
not immediately get any of your short-term  packet encryption of packet 
authentication keys. He must conduct  another successful attack each 
time you rekey to get the short-term  keys. Having some short-term keys 
does not help him learn others. In  particular, breaking your system 
today does not let him read  messages he archived yestarday, assuming 
you've changed short-term  keys in the meanwhile. We enable PFS as the 
default.</LI>
<LI>The other variant disables PFS and is therefore slightly faster. 
 We do not recommend this since it is less secure, but FreeS/WAN does 
 support it. You can enable it with a <VAR>pfs=no</VAR> statement in <A href="manpage.d/ipsec.conf.5.html">
 ipsec.conf(5)</A>.</LI>
</UL>
</LI>
<LI>Several types of notification message may be sent by either side 
 during either phase, or later. FreeS/WAN does not currently support 
these, but  they are a likely addition in future releases.</LI>
<LI>A new group exchange may take place after phase one but before 
phase  two, defining up an additional group for use in the <A href="#DH">
Diffie-Hellman</A> key agreement part of phase two.  FreeS/WAN does not 
currently support this.</LI>
<LI>There is a commit flag which may optionally be set on some 
messages.  The <A href="http://www.lounge.org/ike_doi_errata.html">
errata</A> page  for the RFCs includes two changes related to this, one 
to clarify the  description of its use and one to block a <A href="#DoS">
denial of  service</A> attack which uses it. We currently do not 
implement this  feature.</LI>
</UL>
<P> These complications can of course lead to problems, particularly 
when two different implementations attempt to interoperate. For 
example, we have seen problems such as: </P>
<UL>
<LI>Some implememtations (often products crippled by <A href="#exlaw">
export laws</A>) have the insecure DES algorithm as their  only 
supported encryption method. See our <A href="#desnotsecure">DES 
 insecurity</A> comments for the reasons we do not implement single 
DES,  and our <A href="#noDES">FAQ</A> for a discussion of how to cope 
 with crippled products.</LI>
<LI>Windows 2000 IPSEC tries to negotiate with FreeS/WAN using 
Aggressive  Mode, which we don't support. Later on, it uses the commit 
bit, which we  also don't support.</LI>
<LI>FreeS/WAN's interaction with PGPnet is complicated by their use of 
 notification messages we do not yet support.</LI>
</UL>
<P> Despite this, we do interoperate successfully with many 
implementations, including both Windows 2000 and PGPnet. Details are in 
our <A href="interop.html">interoperability</A> document. </P>
<H4><A name="struct.exchange">Structure of IKE messages</A></H4>
<P>Here is our Pluto developer explaining some of this on the mailing 
 list:</P>
<PRE>
When one IKE system (for example, Pluto) is negotiating with another
to create an SA, the Initiator proposes a bunch of choices and the
Responder replies with one that it has selected.

The structure of the choices is fairly complicated.  An SA payload
contains a list of lists of &quot;Proposals&quot;.  The outer list is a set of
choices: the selection must be from one element of this list.

Each of these elements is a list of Proposals.  A selection must be
made from each of the elements of the inner list.  In other words,
*all* of them apply (that is how, for example, both AH and ESP can
apply at once).

Within each of these Proposals is a list of Transforms.  For each
Proposal selected, one Transform must be selected (in other words,
each Proposal provides a choice of Transforms).

Each Transform is made up of a list of Attributes describing, well,
attributes.  Such as lifetime of the SA.  Such as algorithm to be
used.  All the Attributes apply to a Transform.

You will have noticed a pattern here: layers alternate between being
disjunctions (&quot;or&quot;) and conjunctions (&quot;and&quot;).

For Phase 1 / Main Mode (negotiating an ISAKMP SA), this structure is
cut back.  There must be exactly one Proposal.  So this degenerates to
a list of Transforms, one of which must be chosen.
</PRE>
<H3><A name="services">IPSEC Services, AH and ESP</A></H3>
<P> IPSEC offers two services, <A href="#authentication">authentication</A>
 and <A href="#encryption">encryption</A>. These can be used separately 
but are often used together.</P>
<DL>
<DT>Authentication</DT>
<DD>Packet-level authentication allows you to be confident that a 
packet  came from a particular machine and that its contents were not 
altered  en route to you. No attempt is made to conceal or protect the 
 contents, only to assure their integrity. </DD>
<P>Packet authentication can be provided separately using an <A href="#AH">
Authentication Header</A>, described just below, or it can  be included 
as part of the <A href="#ESP">ESP</A> (Encapsulated  Security Payload) 
service, described in the following section. That  service offers 
encryption as well as authentication.</P>
<DT>Encryption</DT>
<DD>Encryption allows you to conceal the contents of a message from 
 eavesdroppers. </DD>
<P>In IPSEC this is done using a <A href="#block">block cipher</A>
 (normally <A href="#3DES">Triple DES</A> for Linux). In the most used 
setup, keys are automatically  negotiated, and periodically 
re-negotiated, using the <A href="#IKE">IKE</A> (Internet Key Exchange) 
protocol. In Linux FreeS/WAN this is handled by the Pluto  Daemon.</P>
<P>The IPSEC protocol offering encryption is <A href="#ESP">ESP</A>, 
 Encapsulated Security Payload. It can also include a packet 
 authentication service.</P>
</DL>
<P> Note that <STRONG>encryption should always be used with some packet 
 authentication service</STRONG>. Unauthenticated encryption is 
vulnerable to <A href="#middle"> man-in-the-middle attacks</A>. Also 
note that encryption  does not necessarily prevent <A href="#traffic">
traffic analysis</A>.</P>
<H3><A name="AH.ipsec">The Authentication Header (AH)</A></H3>
<P>Packet authentication can be provided separately from encryption by 
 adding an authentication header (AH) after the IP header but before 
the  other headers on the packet. This is the subject of this section. 
Details  are in RFC 2402.</P>
<P>Each of the several headers on a packet header contains a &quot;next 
protocol&quot;  field telling the system what header to look for next. IP 
headers generally  have either TCP or UDP in this field. When IPSEC 
authentication is used, the  packet IP header has AH in this field, 
saying that an Authentication Header  comes next. The AH header then 
has the next header type -- usually TCP, UDP  or encapsulated IP.</P>
<P>IPSEC packet authentication can be added in transport mode, as a 
 modification of standard IP transport. This is shown in this diagram 
from  the RFC:</P>
<PRE>                  BEFORE APPLYING AH
            ----------------------------
      IPv4  |orig IP hdr  |     |      |
            |(any options)| TCP | Data |
            ----------------------------

                  AFTER APPLYING AH
            ---------------------------------
      IPv4  |orig IP hdr  |    |     |      |
            |(any options)| AH | TCP | Data |
            ---------------------------------
            ||
                 except for mutable fields</PRE>
<P>Athentication can also be used in tunnel mode, encapsulating the 
 underlying IP packet beneath AH and an additional IP header.</P>
<PRE>                         ||
IPv4  | new IP hdr* |    | orig IP hdr*  |    |      |
      |(any options)| AH | (any options) |TCP | Data |
      ------------------------------------------------
      ||
      |           in the new IP hdr                  |</PRE>
<P>This would normally be used in a gateway-to-gateway tunnel. The 
receiving  gateway then strips the outer IP header and the AH header 
and forwards the  inner IP packet.</P>
<P>The mutable fields referred to are things like the time-to-live 
field in  the IP header. These cannot be included in authentication 
calculations  because they change as the packet travels.</P>
<H4><A name="keyed">Keyed MD5 and Keyed SHA</A></H4>
<P> The actual authentication data in the header is typically 96 bits 
and depends both on a secret shared between sender and receiver and on 
every byte of the data being authenticated.</P>
<P> The algorithms involved are the <A href="#MD5">MD5</A> Message 
Digest  Algorithm or <A href="#SHA">SHA</A>, the Secure Hash Algorithm. 
For details  on their use in this application, see RFCs 2403 and 2404 
respectively.</P>
<P>For descriptions of the algorithms themselves, see RFC 1321 for MD5 
and <A href="#FIPS"> FIPS</A> (Federal Information Processing Standard) 
number  186 from <A href="#NIST">NIST</A>, the US National Institute of 
Standards  and Technology for SHA. <A href="#schneier"><CITE>Applied 
 Cryptography</CITE></A> covers both in some detail, MD5 starting on 
page 436  and SHA on 442.</P>
<P>These algorithms are intended to make it nearly impossible for 
anyone to  alter the authenticated data in transit. The sender 
calculates a digest or  hash value from that data and includes the 
result in the authentication  header. The recipient does the same 
calculation and compares results. For  unchanged data, the results will 
be identical. The hash algorithms are  designed to make it extremely 
difficult to change the data in any way and  still get the correct hash.</P>
<P>Since the shared secret key is also used in both calculations, an 
 interceptor cannot simply alter the authenticated data and change the 
hash  value to match. Without the key, he or she (or even the dreaded 
They) cannot  produce a usable hash.</P>
<H4><A name="sequence">Sequence numbers</A></H4>
<P>The authentication header includes a sequence number field which the 
 sender is required to increment for each packet. The receiver can 
ignore it  or use it to check that packets are indeed arriving in the 
expected  sequence.</P>
<P>This provides partial protection against <A href="#replay">replay 
 attacks</A> in which an attacker resends intercepted packets in an 
effort to  confuse or subvert the receiver. Complete protection is not 
possible since  it is necessary to handle legitmate packets which are 
lost, duplicated, or  delivered out of order, but use of sequence 
numbers makes the attack much  more difficult.</P>
<P>The RFCs require that sequence numbers never cycle, that a new key 
always  be negotiated before the sequence number reaches 2^32-1. This 
protects both  against replays attacks using packets from a previous 
cyclce and against <A href="#birthday">birthday attacks</A> on the the 
packet authentication  algorithm.</P>
<P>In Linux FreeS/WAN, the sequence number is ignored for manually 
keyed  connections and checked for automatically keyed ones. In 
automatic mode, we  do that. In manual mode, there is no way to 
negotiate a new key, or to  recover from a sequence number problem, so 
we don't use sequence  numbers.</P>
<H3><A name="ESP.ipsec">Encapsulated Security Payload (ESP)</A></H3>
<P>The ESP protocol is defined in RFC 2406. It provides one or both of 
 encryption and packet authentication. It may be used with or without 
AH  packet authentication.</P>
<P>Note that <STRONG>some form of packet authentication should <EM>
 always</EM> be used whenever data is encrypted</STRONG>. Without 
 authentication, the encryption is vulnerable to active attacks which 
may  allow an enemy to break the encryption. ESP should <STRONG>always</STRONG>
 either include its own authentication or be used with AH 
authentication.</P>
<P>The RFCs require support for only two mandatory encryption 
algorithms -- <A href="#DES"> DES</A>, and null encryption -- and for 
two authentication  methods -- keyed MD5 and keyed SHA. Implementers 
may choose to support  additional algorithms in either category.</P>
<P>The authentication algorithms are the same ones used in the IPSEC <A href="#AH">
authentication header</A>.</P>
<P> We do not implement single DES since <A href="#desnotsecure">DES is 
insecure</A>. Instead we provide <A href="#3DES">triple DES or 3DES</A>
. This is currently the only encryption algorithm supported.</P>
<P> We do not implement null encryption since it is obviously insecure.</P>
<H2><A name="modes">IPSEC modes</A></H2>
<P>IPSEC can connect in two modes. Transport mode is a host-to-host 
 connection involving only two machines. In tunnel mode, the IPSEC 
machines  act as gateways and trafiic for any number of client machines 
may be  carried.</P>
<H3><A name="tunnel.ipsec">Tunnel mode</A></H3>
<P>Security gateways are required to support tunnel mode connections. 
In  this mode the gateways provide tunnels for use by client machines 
behind the  gateways. The client machines need not do any IPSEC 
processing; all they  have to do is route things to gateways.</P>
<H3><A name="transport.ipsec">Transport mode</A></H3>
<P>Host machines (as opposed to security gateways) with IPSEC 
 implementations must also support transport mode. In this mode, the 
host  does its own IPSEC processing and routes some packets via IPSEC.</P>
<H2><A name="parts">FreeS/WAN parts</A></H2>
<H3><A name="KLIPS.ipsec">KLIPS: Kernel IPSEC Support</A></H3>
<P>KLIPS is <STRONG>K</STRONG>erne<STRONG>L</STRONG><STRONG> IP</STRONG>
SEC <STRONG> S</STRONG>upport, the modifications necessary to support 
IPSEC  within the Linux kernel. KILPS does all the actual IPSEC 
packet-handling,  including</P>
<UL>
<LI>encryption</LI>
<LI>packet authentication calculations</LI>
<LI>creation of ESP and AH headers for outgoing packets</LI>
<LI>interpretation of those headers on incoming packets</LI>
</UL>
<P>KLIPS also checks all non-IPSEC packets to ensure they are not 
bypassing  IPSEC security policies.</P>
<H3><A name="Pluto.ipsec">The Pluto daemon</A></H3>
<P><A href="manpage.d/ipsec_pluto.8.html">Pluto(8)</A> is a daemon 
which  implements the IKE protocol. It</P>
<UL>
<LI>handles all the Phase one ISAKMP SAs</LI>
<LI>performs host authentication and negotiates with other gateways</LI>
<LI>creates IPSEC SAs and passes the data required to run them to  KLIPS</LI>
<LI>adjust routing and firewall setup to meet IPSEC requirements. See 
our <A href="firewall.html"> IPSEC and firewalling</A> document for 
details.</LI>
</UL>
 Pluto is controlled mainly by the <A href="manpage.d/ipsec.conf.5.html">
ipsec.conf(5)</A> configuration file. 
<H3><A name="command">The ipsec(8) command</A></H3>
<P>The ipsec(8) command is a front end that allows control over IPSEC 
 activity.</P>
<H3><A name="ipsec.conf">Linux FreeS/WAN configuration file</A></H3>
<P>The configuration file for Linux FreeS/WAN is</P>
<PRE>
        /etc/ipsec.conf
</PRE>
 For details see the <A href="manpage.d/ipsec.conf.5.html">ipsec.conf(5)</A>
 manual page and our <A href="config.html">Configuration</A> section. 
<H2><A name="key">Key management</A></H2>
<P>There are several ways IPSEC can manage keys. Not all are 
implemented in  Linux FreeS/WAN.</P>
<H3><A name="current">Currently Implemented Methods</A></H3>
<H4><A name="manual">Manual keying</A></H4>
<P>IPSEC allows keys to be manually set. In Linux FreeS/WAN, such keys 
are  stored with the connection definitions in /etc/ipsec.conf.</P>
<P><A href="#manual">Manual keying</A> is useful for debugging since it 
 allows you to test the <A href="#KLIPS">KLIPS</A> kernel IPSEC code 
without  the <A href="#Pluto">Pluto</A> daemon doing key negotiation.</P>
<P>In general, however, automatic keying is preferred because it is 
more  secure.</P>
<H4><A name="auto">Automatic keying</A></H4>
<P>In automatic keying, the <A href="#Pluto">Pluto</A> daemon 
negotiates  keys using the <A href="#IKE">IKE</A> Internet Key Exchange 
protocol.  Connections are automatically re-keyed periodically.</P>
<P>This is considerably more secure than manual keying. In either case 
an  attacker who acquires a key can read every message encrypted with 
that key,  but automatic keys can be changed every few hours or even 
every few minutes  without breaking the connection or requiring 
intervention by the system  administrators. Manual keys can only be 
changed manually; you need to shut  down the connection and have the 
two admins make changes. Moreover, they  have to communicate the new 
keys securely, perhaps with <A href="#PGP">PGP</A> or <A href="#SSH">SSH</A>
.  This may be possible in some  cases, but as a general solution it is 
expensive, bothersome and unreliable.  Far better to let <A href="#Pluto">
Pluto</A> handle these chores; no doubt  the administrators have enough 
to do.</P>
<P>Also, automatic keying is inherently more secure against an attacker 
who  manages to subvert your gateway system. If manual keying is in use 
and an  adversary acquires root privilege on your gateway, he reads 
your keys from  /etc/ipsec.conf and then reads all messages encrypted 
with those keys.</P>
<P>If automatic keying is used, an adversary with the same privileges 
can  read /etc/ipsec.secrets, but this does not contain any keys, only 
the  secrets used to authenticate key exchanges. Having an adversary 
able to  authenticate your key exchanges need not worry you overmuch. 
Just having the  secrets does not give him any keys. You are still 
secure against <A href="#passive">passive</A> attacks. This property of 
automatic keying is  called <A href="#PFS">perfect forward secrecy</A>, 
abbreviated PFS.</P>
<P>Unfortunately, having the secrets does allow an <A href="#active">
active  attack</A>, specifically a <A href="#middle">man-in-the-middle</A>
 attack.  Losing these secrets to an attacker may not be quite as 
disastrous as losing  the actual keys, but it is <EM>still a serious 
security breach</EM>. These  secrets should be guarded as carefully as 
keys.</P>
<H3><A name="notyet">Methods not yet implemented</A></H3>
<H4><A name="noauth">Unauthenticated key exchange</A></H4>
<P>It would be possible to exchange keys without authenticating the 
players.  This would support <A href="#carpediem"> opportunistic 
encryption</A> -- allowing any two  systems to encrypt their 
communications without requiring a shared PKI or a  previously 
negotiated secret -- and would be secure against <A href="#passive">
passive attacks</A>. It would, however, be highly vulnerable  to active <A
href="#middle">man-in-the-middle</A> attacks. RFC 2408  therefore 
specifies that all <A href="#ISAKMP">ISAKMP</A> key management 
 interactions <EM>must</EM> be authenticated. </P>
<P>There is room for debate here. Should we provide immediate security 
 against <A href="#passive">passive attacks</A> and encourage 
widespread use  of encryption, at the expense of risking the more 
difficult <A href="#active">active attacks</A>? Or should we wait until 
we can implement  a solution that can both be widespread and offer 
security against active  attacks?</P>
<P>So far, we have chosen the second course, complying with the RFCs 
and  waiting for secure DNS (see <A href="#DNS">below</A>) so that we 
can do <A href="#carpediem">opportunistic encryption</A> right.</P>
<H4><A name="DNS">Key exchange using DNS</A></H4>
<P>The IPSEC RFCs allow key exchange based on authentication services 
 provided by <A href="#SDNS">Secure DNS</A>. Once Secure DNS service 
becomes  widely available, we expect to make this the <EM>primary key 
management  method for Linux FreeS/WAN</EM>. It is the best way we know 
of to support <A href="#carpediem">opportunistic encryption</A>, 
allowing two systems without  a common PKI or previous negotiation to 
secure their communication.</P>
<P>As of FreeS/WAN 1.4, we have experimental code to acquire RSA keys 
from  DNS but do not yet have code to validate Secure DNS signatures.</P>
<H4><A name="PKI">Key exchange using a PKI</A></H4>
<P>The IPSEC RFCs allow key exchange based on authentication services 
 provided by a <A href="#PKI">PKI</A> or Public Key Infrastructure. 
With many  vendors selling such products and many large organisations 
building these  infrastructures, this will clearly be an important 
application of IPSEC and  one Linux FreeS/WAN will eventually support.</P>
<P>On the other hand, this is not as high a priority for Linux 
FreeS/WAN as  solutions based on <A href="#SDNS">secure DNS</A>. We do 
not expect any PKI  to become as universal as DNS.</P>
<P>Some <A href="#patch">patches</A> to handle  authentication with 
X.509 certificates, which most PKIs use, are available.</P>
<H4><A name="photuris">Photuris</A></H4>
<P><A href="#photuris"> Photuris</A> is another key management 
protocol, an  alternative to IKE and ISAKMP, described in RFCs 2522 and 
2523 which are  labelled &quot;experimental&quot;. Adding Photuris support to 
Linux FreeS/WAN might be  a good project for a volunteer. The likely 
starting point would be the  OpenBSD photurisd code.</P>
<H4><A name="skip">SKIP</A></H4>
<P><A href="#SKIP">SKIP</A> is yet another key management protocol, 
 developed by Sun. At one point it was fairly widely used, but our 
current  impression is that it is moribund, displaced by IKE. Sun now 
(as of Solaris  8.0) ship an IPSEC implementation using IKE. We have no 
plans to implement  SKIP.</P>
<HR>
<H1><A name="lists">Mailing lists and newsgroups</A></H1>
<H2><A name="list.fs">Mailing lists about FreeS/WAN</A></H2>
<H3><A name="projlist">The project mailing lists</A></H3>
 The Linux FreeS/WAN project has several email lists for user support, 
bug reports and software development discussions. 
<P> We had a single list on clinet.fi for several years (Thanks, 
folks!), then one list on freeswan.org, but now we've split into 
several lists:</P>
<DL>
<DT><A href="mailto:users-request@lists.freeswan.org?body=subscribe">
users</A></DT>
<DD>
<UL>
<LI>The general list for discussing use of the software </LI>
<LI>The place for seeking <STRONG>help with problems</STRONG> (but 
please check the <A href="faq.html">FAQ</A> first). </LI>
<LI>Anyone can post. </LI>
</UL>
</DD>
<DT><A href="mailto:bugs-request@lists.freeswan.org?body=subscribe">bugs</A>
</DT>
<DD>
<UL>
<LI>For <STRONG>bug reports</STRONG>. </LI>
<LI>If you are not certain what is going on -- could be a bug, a 
configuration  error, a network problem, ... -- please post to the 
users list instead. </LI>
<LI>Anyone can post. </LI>
</UL>
</DD>
<DT><A href="mailto:design-request@lists.freeswan.org?body=subscribe">
design</A></DT>
<DD>
<UL>
<LI><STRONG>Design discussions</STRONG>, for people working on 
FreeS/WAN development or others with an interest  in design and 
security issues. </LI>
<LI>It would be a good idea to read the existing design papers (see 
this <A href="#applied">list</A>) before  posting. </LI>
<LI>Anyone can post. </LI>
</UL>
</DD>
<DT><A href="mailto:announce-request@lists.freeswan.org?body=subscribe">
announce</A></DT>
<DD>
<UL>
<LI>A <STRONG>low-traffic</STRONG> list. </LI>
<LI><STRONG>Announcements</STRONG> about FreeS/WAN and related 
software. </LI>
<LI>All posts here are also sent to the users list. You need not 
subscribe to both. </LI>
<LI>Only the FreeS/WAN team can post. </LI>
<LI>If you have something you feel should go on this list, send it to <VAR>
announce-admin@lists.freeswan.org</VAR>.  Unless it is obvious, please 
include a short note explaining why we should post it.</LI>
</UL>
</DD>
<DT><A href="mailto:briefs-request@lists.freeswan.org?body=subscribe">
briefs</A></DT>
<DD>
<UL>
<LI>A <STRONG>low-traffic</STRONG> list. </LI>
<LI><STRONG>Weekly summaries</STRONG> of activity on the users list. </LI>
<LI>All posts here are also sent to the users list. You need not 
subscribe to both. </LI>
<LI>Only the FreeS/WAN team can post. </LI>
</UL>
</DD>
</DL>
 To subscribe to any of these, you can: 
<UL>
<LI>just follow the links above </LI>
<LI>use our <A href="http://www.freeswan.org/mail.html">web interface</A>
</LI>
<LI>send mail to <VAR>listname</VAR>-request@lists.freeswan.org with a 
one-line message body &quot;subscribe&quot; </LI>
</UL>
<P> Archives of these lists are available via the <A href="http://www.freeswan.org/mail.html">
web interface</A>. </P>
<H4><A name="policy.list">List policies</A></H4>
<STRONG> US citizens or residents are asked not to post code to the 
lists, not even one-line bug fixes</STRONG>. The project cannot accept 
code which might entangle it in US <A href="#exlaw">export restrictions</A>
.
<P> Non-subscribers can post to some of these lists. This is necessary; 
someone working on a gateway install who encounters a problem may not 
have access to a subscribed account. </P>
<P> Some spam turns up on these lists from time to time. For discussion 
of why we do not attempt to filter it, see the <A href="#spam">FAQ</A>. 
Please do not clutter the lists with complaints about this. </P>
<H3><A name="archive">Archives of the lists</A></H3>
<P> Searchable archives of the old single list have existed for some 
time. At time of writing, it is not yet clear how they will change for 
the new multi-list structure.</P>
<UL>
<LI><A href="http://www.sandelman.ottawa.on.ca/linux-ipsec">Canada</A></LI>
<LI><A href="http://www.nexial.com">Holland</A></LI>
</UL>
<P> Note that these use different search engines. Try both.</P>
<P> Archives of the new lists are available via the <A href="http://www.freeswan.org/mail.html">
web interface</A>. </P>
<H2><A name="indexes">Indexes of mailing lists</A></H2>
<P><A href="http://paml.net/"> PAML</A> is the standard reference for <STRONG>
P</STRONG>ublicly <STRONG>A</STRONG>ccessible <STRONG>M</STRONG>ailing <STRONG>
L</STRONG>ists. When we last checked, it  had over 7500 lists on an 
amazing variety of topics. It also has FAQ  information and a search 
engine.</P>
<P> There is an index of <A href="http://oslab.snu.ac.kr/~djshin/linux/mail-list/index.shtml">
Linux  mailing lists</A> available.</P>
<P> A list of <A href="http://xforce.iss.net/maillists/otherlists.php">
computer security  mailing lists</A>, with descriptions.</P>
<H2><A name="otherlists">Lists for related software and topics</A></H2>
<P> Most links in this section point to subscription addresses for the 
various lists. Send the one-line message &quot;subscribe <VAR>list_name</VAR>
&quot; to subscribe to any of them.</P>
<H3><A name="linux.lists">Linux mailing lists</A></H3>
<UL>
<LI><A href="mailto:majordomo@vger.kernel.org">
linux-admin@vger.kernel.org</A>,  for Linux system administrators</LI>
<LI><A href="mailto:majordomo@rustcorp.com">ipchains@rustcorp.com</A>, 
 about the IPchains firewall tool</LI>
<LI><A href="mailto:majordomo@samba.anu.edu.au">
netfilter@samba.anu.edu.au</A>,  about Netfilter, which replaces 
IPchains in kernels 2.3.15 and  later</LI>
<LI><A href="mailto:securedistros-request@humbolt.geo.uu.nl">
securedistros@humbolt.geo.uu.nl</A>,  for discussion of issues common 
to all the half dozen projects working  on secure Linux distributions. 
Each project also has its own mailing  list. 
<UL>
<LI><A href="bastille-linux-discuss@lists.sourceforge.net">Bastille 
 Linux</A> scripts to harden Redhat, e.g. by changing permissions and 
 modifying inialisation scripts</LI>
<LI><A href="http://immunix.org/">Immunix</A> take a different 
 approach, using a modified compiler to build kernel and utilities 
 with better resistance to various types of overflow and exploit</LI>
</UL>
</LI>
<LI><A href="mailto:security-audit-request@ferret.lmh.ox.ac.uk">
security-audit@ferret.lmh.ox.ac.uk</A>,  for people working on security 
audits of various Linux programs</LI>
<LI>the <A href="#NSA">NSA</A> have contractors working on a Security 
Enhanced Linux,  primaily adding stronger access control mechanisms. 
You can download the current version  (which interestingly is under GPL 
and not export resrtricted) or subscribe to the mailing  list from the <A
href="http://www.nsa.gov/selinux">project web page</A>. </LI>
</UL>
<H3><A name="ietf">Lists for IETF working groups</A></H3>
<P>Each <A href="#IETF">IETF</A> working group has an associated 
mailing  list where much of the work takes place.</P>
<UL>
<LI><A href="mailto:majordomo@lists.tislabs.com">ipsec@lists.tislabs.com</A>
,  the IPSEC <A href="http://www.ietf.org/html.charters/ipsec-charter.html">
 working group</A>. This is where the protocols are discussed, new 
drafts  announced, and so on. By now, the IPSEC working group is 
winding down  since the work is essentially complete. A <A href="http://www.sandelman.ottawa.on.ca/ipsec/">
list archive</A> is available.</LI>
<LI><A href="mailto:ipsec-policy-request@vpnc.org">IPSEC policy</A>
 list,  and its <A href="http://www.vpnc.org/ipsec-policy/">archive</A></LI>
<LI><A href="mailto:ietf-ipsra-request@vpnc.org">IP secure remote 
 access</A> list, and its <A href="http://www.vpnc.org/ietf-ipsra/mail-archive/">
archive</A></LI>
</UL>
<H3><A name="other">Other mailing lists</A></H3>
<UL>
<LI><A href="mailto:ipc-announce-request@privacy.org">
ipc-announce@privacy.org</A> a low-traffic list with announcements of 
developments in privacy,  encryption and online civil rights</LI>
<LI>a VPN mailing list's <A href="http://kubarb.phsx.ukans.edu/~tbird/vpn.html">
home page</A></LI>
</UL>
<H2><A name="newsgroups">Usenet newsgroups</A></H2>
<UL>
<LI>sci.crypt</LI>
<LI>sci.crypt.research</LI>
<LI>comp.dcom.vpn</LI>
<LI>talk.politics.crypto</LI>
</UL>
<HR>
<H1><A name="weblink">Web links</A></H1>
<H2><A name="freeswan">The Linux FreeS/WAN Project</A></H2>
<P>The main project web site is <A href="http://www.freeswan.org/">
www.freeswan.org</A>.</P>
<P>Links to other project-related <A href="#webdocs">sites</A> are 
provided in our introduction section.</P>
<H3><A name="patch">Add-ons and patches for FreeS/WAN</A></H3>
<P> Some user-contributed patches gave been integrated into the 
FreeS/WAN distribution. For a variety of reasons, those listed below 
have not.</P>
<P>Patches believed current at time of writing (March 2001, just before 
1.9 release):</P>
<UL>
<LI><A href="http://www.zengl.net/freeswan/download/">patches and 
utilities</A> for  using FreeS/WAN with PGPnet</LI>
<LI>patches for <A href="http://www.strongsec.com/freeswan/">X.509 
 certificate support</A>, also available from a <A href="http://www.twi.ch/~sna/strongsec/freeswan/">
mirror site</A></LI>
<LI>a <A href="http://tzukanov.narod.ru/">series</A> of patches that 
<UL>
<LI>provide GOST, a Russian gov't. standard cipher, in MMX assembler </LI>
<LI>add GOST to OpenSSL </LI>
<LI>add GOST to the International kernel patch </LI>
<LI>let FreeS/WAN use International kernel patch ciphers </LI>
</UL>
</LI>
<LI><A href="http://www.ipv6.iabg.de/downloadframe/index.html">IPv6 
support</A></LI>
</UL>
<P> Before using these, check the <A href="mail.html">mailing list</A>
 for news of newer versions and to see whether they have been 
incorporated into more recent versions of FreeS/WAN.</P>
<P><STRONG> Note:</STRONG> At one point the way PGP generates RSA keys 
and the way FreeS/WAN checks them for validity before using them were 
slightly different, so quite a few PGP-generated keys would be rejected 
by FreeS/WAN, confusing users no end. This is fixed in 1.9. </P>
<P> A set of PKIX patches were recently announced on the mailing list:</P>
<PRE>
Subject: a different PKIX patch.
   Date: Mon, 5 Mar 2001
   From: Luc Lanthier &lt;firesoul@netwinder.org&gt;

I'd like to invite volunteers to use the now-complete PKIX project I've
been working on since about August. Because of this, the patch is for
FreeSWAN 1.5, not 1.8... I haven't really felt the need to update it since
I don't use IPV6 nor DNSSec.

This is similar, but different than Andreas Steffen's pkix
implementation. I've based this work on Neil Dunbar's openssl-pkix patch
for FreeSWAN 1.1. I've updated it to run on FreeSWAN 1.5 correctly, and
added support for ID_DER_ASN1_DN ID packet support. It will do LDAP
certificate lookups no problem, as well as local flatfile, directory, or
DB lookup for testing or speed.

IE: It's a full CA-compatible client, capable of looking up, checking the
CRL for expiry and such. It will not only do the classic PSK and RSASIG
freeswan methods just fine, but also does PKIX's RSASIG, PKE and
RPKE. I've spent a lot of time adding RoadWarrior support for these last
IKE exchange methods.

The patch can be found as: 
  ftp://ftp.netwinder.org/users/f/firesoul/freeswan-1.5-pkix_13.patch
There are also freeswan-1.5 - kernel 2.4 patches for those who need them.

Let me know. Feedback is appreciated.
</PRE>
<P> Older patches:</P>
<UL>
<LI>Neil Dunbar's patches for <A href="ftp://hplose.hpl.hp.com/pub/nd/pluto-openssl.tar.gz">
 certificate  support</A>, using code from <A href="www.openssl.com">
Open SSL</A>.</LI>
<LI><A href="ftp://ftp.heise.de/pub/ct/listings/9916-180.tgz">patches</A>
 to add <A href="#Blowfish">Blowfish</A>, <A href="#IDEA">IDEA</A> and <A
href="#CAST128">CAST-128</A> to FreeS/WAN</LI>
<LI><A href="http://www.cendio.se/~bellman/aggressive-pluto.snap.tar.gz">
patches</A> for aggressive  mode support </LI>
</UL>
<P> These patches are for older versions of FreeS/WAN and will likely 
not work with the current version.  Older versions of FreeS/WAN may be 
available on some of the <A href="intro.html#site">distribution sites</A>
, but we recommend using the current release.</P>
<H4><A name="VPN.masq">VPN masquerade patches</A></H4>
 Finally, there are some patches to other code that may be useful with 
FreeS/WAN: 
<UL>
<LI>a <A href="ftp://ftp.rubyriver.com/pub/jhardin/masquerade/ip_masq_vpn.html">
patch</A> to make IPSEC, PPTP and SSH VPNs work through a Linux 
firewall with <A href="#masq">IP masquerade</A>. </LI>
<LI><A href="http://www.linuxdoc.org/HOWTO/VPN-Masquerade-HOWTO.html">
Linux VPN Masquerade HOWTO</A></LI>
</UL>
 Note that this is not required if the same machine does IPSEC and 
masquerading, only if you want a to locate your IPSEC gateway on a 
masqueraded network. See our <A href="#NAT">firewalls</A> document for 
discussion of why this is problematic. 
<P> At last report, this patch could not co-exist with FreeS/WAN on the 
same machine. </P>
<H3><A name="dist">Distributions including FreeS/WAN</A></H3>
<P>The introductory section of our document set lists several <A href="#distwith">
Linux distributions</A> which include FreeS/WAN.</P>
<H3><A name="used">Things FreeS/WAN uses or could use</A></H3>
<UL>
<LI><A href="http://openpgp.net/random">/dev/random</A> support page, 
 discussion of and code for the Linux <A href="#random">random number 
 driver</A>. Out-of-date when we last checked (January 2000), but still 
 useful.</LI>
<LI>other programs related to random numbers: 
<UL>
<LI><A href="http://www.mindrot.org/code/audio-entropyd.php3">audio 
entropy daemon</A> to gather noise from a sound card and feed it into 
/dev/random </LI>
<LI>an <A href="http://www.lothar.com/tech/crypto/">entropy-gathering 
 daemon</A></LI>
<LI>a driver for the random number generator in recent <A href="http://gtf.org/garzik/drivers/i810_rng/">
Intel  chipsets</A></LI>
</UL>
</LI>
<LI>a Linux <A href="http://www.marko.net/l2tp/">L2TP Daemon</A> which 
 might be useful for communicating with Windows 2000 which builds L2TP 
 tunnels over its IPSEC connections</LI>
<LI><A href="http://www.bhconsult.com/packetspy/">packet spy</A>, a 
packet  sniffer whose author said in a Dec 1999 message &quot;It's very 
unfinished,  especially the filter, but it can give you an ascii and 
hex dump at the  same time. I started it specifically for snooping a 
FreeS/WAN  installation.&quot;</LI>
<LI>to use opportunistic encryption, you need a recent version of <A href="#BIND">
 BIND</A>. Get one from the <A href="ftp://ftp.xs4all.nl/pub/crypto/freeswan">
 FreeS/WAN site</A> or from the <A href="http://www.isc.org">Internet 
Software Consortium</A> who maintain BIND. </LI>
</UL>
<H3><A name="alternatives">Other approaches to VPNs for Linux</A></H3>
<UL>
<LI>other Linux <A href="#linuxIPSEC">IPSEC implementations</A></LI>
<LI><A href="http://www.tik.ee.ethz.ch/~skip/">ENskip</A>, a free 
 implementation of Sun's <A href="#SKIP">SKIP</A> protocol</LI>
<LI><A href="http://sunsite.auc.dk/vpnd/">vpnd</A>, a non-IPSEC VPN 
daemon  for Linux which creates tunnels using <A href="#Blowfish">
Blowfish</A> encryption</LI>
<LI><A href="http://www.winton.org.uk/zebedee/">Zebedee</A>, a simple 
GPLd  tunnel-building program with Linux and Win32 versions. The name 
is from <STRONG> Z</STRONG>lib compression, <STRONG>B</STRONG>lowfish 
encryption  and <STRONG>D</STRONG>iffie-Hellman key exchange.</LI>
<LI>LinuxCare's <A href="http://www.strongcrypto.com/">VPS (Virtual 
 Private Server)</A> which builds tunnels using <A href="#SSH">SSH</A></LI>
<LI>Moreton Bay's <A href="http://www.moretonbay.com/vpn/pptp.html">
PoPToP</A>, PPTP for  Linux</LI>
<LI><A href="http://sites.inka.de/sites/bigred/devel/cipe.html">CIPE</A>
 (crypto IP routers)  project, using their own lightweight protocol to 
encrypt between  routers</LI>
<LI><A href="http://vtun.netpedia.net/">vtun</A> &quot;virtual tunnels&quot;, 
using  Blowfish</LI>
<LI><A href="http://tinc.nl.linux.org/">tinc</A>, a VPN Daemon</LI>
</UL>
<P> There is a list of <A href="http://www.securityportal.com/lskb/10000000/kben10000005.html">
Linux VPN</A> software in the <A href="http://www.securityportal.com/lskb/kben00000001.html">
Linux Security Knowledge Base</A>. </P>
<H2><A name="ipsec.link">The IPSEC Protocols</A></H2>
<H3><A name="general">General IPSEC or VPN information</A></H3>
<UL>
<LI>The <A href="http://www.vpnc.org">VPN Consortium</A> is a group for 
 vendors of IPSEC products. Among other things, they have a good 
 collection of <A href="http://www.vpnc.org/white-papers.html">IPSEC 
 white papers</A>.</LI>
<LI>A VPN mailing list with a <A href="http://kubarb.phsx.ukans.edu/~tbird/vpn.html">
home page</A>, a  FAQ, some product comparisons, and many links.</LI>
<LI>A list of <A href="http://www.cs.umass.edu/~lmccarth/ipsec.html">
IPSEC  links</A> from Lewis McCarthy at U Mass.</LI>
<LI><A href="http://www.opus1.com/vpn/index.html">VPN pointer  page</A></LI>
<LI>a <A href="http://www.epm.ornl.gov/~dunigan/vpn.html">collection</A>
 of VPN links, and some explanation </LI>
</UL>
<H3><A name="overview">IPSEC overview documents or slide sets</A></H3>
<UL>
<LI>the FreeS/WAN <A href="ipsec.html">document section</A> on these 
protocols</LI>
<LI>A good <A href="http://www.data.com/tutorials/bullet.html">
 introductory article </A> with links to several articles on related 
 topics</LI>
<LI><A href="http://www.ipsec.com/ipsectech.html">SSH Communications 
 Security</A></LI>
<LI>Timestep Corporation's tutorial: go to their <A href="http://www.timestep.com">
web site</A>, then follow the &quot;VPN  Overview&quot; link</LI>
</UL>
<H3><A name="otherlang">IPSEC information in languages other than 
English</A></H3>
<UL>
<LI><A href="http://www.imib.med.tu-dresden.de/imib/Internet/Literatur/ipsec-docu.html">
German</A></LI>
<LI><A href="http://www.kame.net/index-j.html">Japanese</A></LI>
</UL>
<H3><A name="RFCs1">RFCs and other reference documents</A></H3>
<UL>
<LI><A href="rfc.html">Our document</A> listing the RFCs relevant to 
Linux  FreeS/WAN and giving various ways of obtaining both RFCs and 
Internet  Drafts.</LI>
<LI><A href="http://www.vpnc.org/ipsec-standards.html">IPSEC standards</A>
 page maintained by <A href="#VPNC">VPNC</A>. This covers both RFCs and 
 Drafts, and classifies them in a fairly helpful way.</LI>
<LI><A href="http://www.rfc-editor.org">RFC archive</A></LI>
<LI><A href="http://www.ietf.org/ids.by.wg/ipsec.html">Internet Drafts</A>
 related to IPSEC</LI>
<LI>US government <A href="http://www.itl.nist.gov/div897/pubs"> site</A>
 with their <A href="#FIPS">FIPS</A> standards</LI>
<LI>Archives of the ipsec@tis.com mailing list where discussion of 
drafts  takes place. 
<UL>
<LI><A href="http://www.sandelman.ottawa.on.ca/ipsec">Eastern  Canada</A>
</LI>
<LI><A href="http://www.vpnc.org/ietf-ipsec">California</A>.</LI>
</UL>
</LI>
</UL>
<H3><A name="analysis">Analysis and critiques of IPSEC protocols</A></H3>
<UL>
<LI>Counterpane's <A href="http://www.counterpane.com/ipsec.pdf">
evaluation</A> of the  protocols</LI>
<LI>Simpson's <A href="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/1999/06/msg00319.html">
IKE  Considered Dangerous</A> paper. Note that this is a link to an 
archive  of our mailing list. There are several replies in addition to 
the paper  itself.</LI>
<LI>Bellovin's <A href="http://www.research.att.com/~smb/papers/index.html">
papers</A> page including his: 
<UL>
<LI>Security Problems in the TCP/IP Protocol Suite (1989)</LI>
<LI>Problem Areas for the IP Security Protocols (1996)</LI>
<LI>Probable Plaintext Cryptanalysis of the IP Security Protocols 
 (1997)</LI>
</UL>
</LI>
<LI>Catherine Meadows of NRL applied the NRL Protocol Analyzer to IKE. 
Her  paper is available in <A href="http://chacs.nrl.navy.mil/publications/CHACS/1999/1999meadows-IEEE99.pdf">
PDF</A> or <A href="http://chacs.nrl.navy.mil/publications/CHACS/1999/1999meadows-IEEE99.ps">
Postscript</A>.</LI>
<LI>An <A href="http://www.lounge.org/ike_doi_errata.html">errata list</A>
 for the IPSEC RFCs.</LI>
</UL>
<H3><A name="IP.background">Background information on IP</A></H3>
<UL>
<LI>An introduction to <A href="http://www.3com.com/nsc/501302.html">IP 
 addressing</A> from 3Com</LI>
<LI>An <A href="http://ipprimer.windsorcs.com/">IP tutorial</A> that 
seems  to be written mainly for Netware or Microsoft LAN admins 
entering a new  world</LI>
<LI><A href="http://www.iana.org">IANA</A>, Internet Assigned Numbers 
 Authority</LI>
<LI><A href="http://public.pacbell.net/dedicated/cidr.html">CIDR</A>, 
 Classless Inter-Domain Routing</LI>
<LI>Also see our <A href="biblio.html">bibliography</A></LI>
</UL>
<H2><A name="implement">IPSEC Implementations</A></H2>
<H3><A name="linuxprod">Linux products</A></H3>
<P> Vendors using FreeS/WAN in turnkey firewall or VPN products are 
listed in  our <A href="#turnkey">introduction</A>.</P>
<P>Other vendors have Linux IPSEC products which, as far as we know, do 
not  use FreeS/WAN</P>
<UL>
<LI><A href="http://www.redcreek.com/products/shareware.html">Redcreek</A>
 provide an open source Linux driver for their PCI hardware VPN card. 
 This card has a 100 Mbit Ethernet port, an Intel 960 CPU plus more 
 specialised crypto chips, and claimed encryption performance of 45 
 Mbit/sec. The PC sees it as an Ethernet board.</LI>
<LI><A href="http://linuxtoday.com/stories/8428.html?nn">Paktronix</A>
 offer a Linux-based VPN with hardware encryption </LI>
<LI>According to a report on our mailing list, <A href="http://www.watchguard.com/">
Watchguard</A> use Linux in their  Firebox product.</LI>
<LI><A href="http://www.entrust.com">Entrust</A> offer a developers' 
 toolkit for using their <A href="#PKI">PKI</A> for IPSEC 
 authentication</LI>
<LI>According to a report on our mailing list, <A href="www.axent.com">
Axent</A> have a Linux version of their product. </LI>
</UL>
<H3><A name="router">IPSEC in router products</A></H3>
<P> All the major router vendors support IPSEC, at least in some models.</P>
<UL>
<LI><A href="http://www.cisco.com/warp/public/707/16.html">Cisco</A>
 IPSEC  information</LI>
<LI><A href="http://www.ascend.com/">Ascend</A>, now part of Lucent, 
have  some IPSEC-based products</LI>
<LI><A href="http://www.nortelnetworks.com/">Bay Networks</A>, now part 
of  Nortel, use IPSEC in their Contivity switch product line</LI>
<LI><A href="http://www.3com.com/products/enterprise.html">3Com</A>
 have a  number of VPN products, some using IPSEC</LI>
</UL>
<H3><A name="fw.web">IPSEC in firewall products</A></H3>
 Many firewall vendors offer IPSEC, either as a standard part of their 
product, or an optional extra. A few we know about are: 
<UL>
<LI><A href="http://www.borderware.com/">Borderware</A></LI>
<LI><A href="http://www.ashleylaurent.com/vpn/ipsec_vpn.htm">Ashley 
Laurent</A></LI>
<LI><A href="http://www.watchguard.com">Watchguard</A></LI>
<LI><A href="http://www.fx.dk/firewall/ipsec.html">Injoy</A> for OS/2 </LI>
</UL>
<P> Vendors using FreeS/WAN in turnkey firewall products are listed in 
our <A href="turnkey">introduction</A>.</P>
<H3><A name="ipsecos">Operating systems with IPSEC support</A></H3>
<P>All the major open source operating systems support IPSEC. See below 
for  details on <A href="#BSD">BSD-derived</A> Unix variants.</P>
<P>Among commercial OS vendors, IPSEC players include:</P>
<UL>
<LI><A href="http://msdn.microsoft.com/isapi/msdnlib.idc?theURL=/library/backgrnd/html/msdn_ip_security.htm">
Microsoft</A> have put IPSEC in their Windows 2000 products</LI>
<LI>Apple's <A href="http://www.appleinsider.com/macosx.shtml">Mac OS X</A>
 has IPSEC support built in</LI>
<LI><A href="http://www.s390.ibm.com/stories/1999/os390v2r8_pr.html">IBM</A>
 announce a release of OS390 with IPSEC support via a crypto 
 co-processor</LI>
<LI><A href="http://www.sun.com/solaris/ds/ds-security/ds-security.pdf">
Sun</A> include IPSEC in Solaris 8</LI>
<LI><A href="http://www.hp.com/security/products/extranet-security.html">
Hewlett  Packard</A> offer IPSEC for their Unix machines</LI>
</UL>
<H3><A name="opensource">Open source IPSEC implementations</A></H3>
<H4><A name="linuxIPSEC">Other Linux IPSEC implementations</A></H4>
<P>We like to think of FreeS/WAN as <EM>the</EM> Linux IPSEC 
implementation,  but it is not the only one. Others we know of are:</P>
<UL>
<LI><A href="http://www.enst.fr/~beyssac/pipsec/">pipsecd</A>, a 
 lightweight implementation of IPSEC for Linux. Does not require kernel 
 recompilation.</LI>
<LI>Petr Novak's <A href="ftp://ftp.eunet.cz/icz/ipnsec/">ipnsec</A>, 
 based on the OpenBSD IPSEC code and using <A href="#photuris">Photuris</A>
 for key management</LI>
<LI>A now defunct project at <A href="http://www.cs.arizona.edu/security/hpcc-blue/linux.html">
U of  Arizona</A> (export controlled)</LI>
<LI><A href="http://snad.ncsl.nist.gov/cerberus">NIST Cerebus</A>
 (export  controlled)</LI>
</UL>
<H4><A name="BSD">IPSEC for BSD Unix</A></H4>
<UL>
<LI><A href="http://www.kame.net/project-overview.html">KAME</A>, 
several  large Japanese companies co-operating on IPv6 and IPSEC</LI>
<LI><A href="http://web.mit.edu/network/isakmp">US Naval Research Lab</A>
 implementation of IPv6 and of IPSEC for IPv4 (export controlled)</LI>
<LI><A href="http://www.openbsd.org/crypto">OpenBSD</A> includes IPSEC 
as  a standard part of the distribution</LI>
<LI><A href="http://www.r4k.net/ipsec">IPSEC for FreeBSD</A></LI>
<LI>a <A href="http://www.netbsd.org/Documentation/network/ipsec/">FAQ</A>
 on NetBSD's IPSEC implementation</LI>
</UL>
<H4><A name="misc">IPSEC for other systems</A></H4>
<UL>
<LI><A href="http://www.tcm.hut.fi/Tutkimus/IPSEC/">Helsinki U of 
 Technolgy</A> have implemented IPSEC for Solaris, Java and  Macintosh</LI>
</UL>
<H3><A name="interop">Interoperability</A></H3>
<P> The IPSEC protocols are designed so that different implementations 
should be able to work together. As they say &quot;the devil is in the 
details&quot;. IPSEC has a lot of details, but considerable success has been 
achieved.</P>
<H4><A name="result">Interoperability results</A></H4>
<P> Linux FreeS/WAN has been tested for interoperability with many 
other  IPSEC implementations. Results to date are in our <A href="interop.html">
interoperability</A> section.</P>
<P>Various other sites have information on interoperability between 
various  IPSEC implementations:</P>
<UL>
<LI><A href="http://www.opus1.com/vpn/atl99display.html">interop 
 results</A> from a bakeoff in Atlanta, September 1999.</LI>
<LI>a French company, HSC's, <A href="http://www.hsc.fr/ressources/presentations/ipsec99/index.html.en">
interoperability</A> test data covers FreeS/WAN, Open BSD, KAME, Linux 
pipsecd, Checkpoint, Red  Creek Ravlin, and Cisco IOS</LI>
<LI><A href="http://www.icsa.net/">ICSA</A> offer certification 
programs  for various security-related products. See their list of <A href="http://www.icsa.net/html/communities/ipsec/certification/certified_products/index.shtml">
 certified IPSEC</A> products. Linux FreeS/WAN is not currently on that 
 list, but several products with which we interoperate are.</LI>
<LI>VPNC have a page on why they are not yet doing <A href="http://www.vpnc.org/interop.html">
 interoperability</A> testing and a  page on the <A href="http://www.vpnc.org/conformance.html">
spec conformance</A> testing that they are doning</LI>
<LI>a <A href="http://www.commweb.com/article/COM20000912S0009">review</A>
 comparing a dozen commercial IPSEC implemetations. Unfortunately, the 
 reviewers did not look at Open Source implementations such as 
FreeS/WAN  or OpenBSD.</LI>
<LI><A href="http://www.tanu.org/~sakane/doc/public/report-ike-interop0007.html">
results</A> from interoperability tests at a conference. FreeS/WAN was 
not tested  there.</LI>
<LI>test results from the <A href="http://www.hsc.fr/ressources/veille/ipsec/ipsec2000/">
IPSEC 2000</A> conference </LI>
</UL>
<H4><A name="test1">Interoperability test sites</A></H4>
<UL>
<LI><A href="http://www.tahi.org/">TAHI</A>, a Japanese IPv6 testing 
 project with free IPSEC validation software </LI>
<LI><A href="http://ipsec-wit.antd.nist.gov">National Institute of 
 Standards and Technology</A></LI>
<LI><A href="http://www.rsa.com/rsa/SWAN/swan_test1.html">RSA Data 
 Security</A></LI>
<LI><A href="http://isakmp-test.ssh.fi/">SSH Communications  Security</A>
</LI>
<LI><A href="http://www2.internetdevices.com/arch-lab/interop-testing">
Internet  Devices</A></LI>
</UL>
<H2><A name="linux.link">Linux links</A></H2>
<H3><A name="linux.basic">Basic and tutorial Linux information</A></H3>
<UL>
<LI>Linux <A href="http://linuxcentral.com/linux/LDP/LDP/gs/gs.html">
Getting  Started</A> HOWTO document</LI>
<LI>A getting started guide from the <A href="http://darkwing.uoregon.edu/~cchome/linuxgettingstarted.html">
U of  Oregon</A></LI>
<LI>A large <A href="http://www.herring.org/techie.html">link 
 collection</A> which includes a lot of introductory and tutorial 
 material on Unix, Linux, the net, . . .</LI>
</UL>
<H3><A name="general">General Linux sites</A></H3>
<UL>
<LI><A href="http://members.aa.net/~swear/pedia/index.html">Gary's 
 Encyclopedia</A>, several thousand Linux links, over 100 categories</LI>
<LI><A href="http://www.freshmeat.net">Freshmeat</A> Linux news</LI>
<LI><A href="http://slashdot.org">Slashdot</A> &quot;News for Nerds&quot;</LI>
<LI><A href="http://www.linux.org">Linux Online</A></LI>
<LI><A href="http://www.linuxhq.com">Linux HQ</A></LI>
<LI><A href="http://www.tux.org">tux.org</A></LI>
</UL>
<H3><A name="docs1">Documentation</A></H3>
<UL>
<LI><A href="http://metalab.unc.edu/LDP">Linux Documentation Project</A>
<UL>
<LI><A href="http://metalab.unc.edu/LDP/HOWTO/META-FAQ.html">Meta-FAQ</A>
 guide to Linux information sources</LI>
<LI><A href="http://metalab.unc.edu/LDP/HOWTO/HOWTO-INDEX-3.html">Index 
of  HOWTO documents</A></LI>
<LI><A href="http://metalab.unc.edu/LDP/HOWTO/Kernel-HOWTO.html">Kernel 
 HOWTO</A></LI>
<LI><A href="http://metalab.unc.edu/LDP/HOWTO/Security-HOWTO.html">
Security  HOWTO</A></LI>
<LI><A href="http://metalab.unc.edu/LDP/HOWTO/Networking-Overview-HOWTO.html">
Networking  Overview HOWTO</A></LI>
<LI><A href="http://metalab.unc.edu/LDP/HOWTO/NET-3-HOWTO.html">Net 3 
 HOWTO</A></LI>
<LI><A href="http://metalab.unc.edu/LDP/LDP/sag/node1.html">System 
 Administrator's Guide</A></LI>
<LI><A href="http://metalab.unc.edu/LDP/LDP/nag/node1.html">Network 
 Adminstrator's Guide</A></LI>
</UL>
</LI>
<LI><A href="www.oswg.org">Open Source Writers' Group</A>, cover the 
BSD  derivatives as well as Linux 
<UL>
<LI><A href="http://www.oswg.org/oswg/query/osdi">document  index</A></LI>
<LI>some good <A href="">essays</A> on open source ideas</LI>
</UL>
</LI>
<LI>Tucows <A href="">Linux HowTo collection</A>, mostly a mirror of 
LDP  material</LI>
</UL>
<H3><A name="advroute.web">Advanced routing</A></H3>
<P>The Linux IP stack is getting some new features in 2.4 kernels. Most 
are  already available as experimental code in 2.3 kernels. Some HowTos 
have been  written:</P>
<UL>
<LI>several HowTos for the <A href="http://netfilter.kernelnotes.org/unreliable-guides/index.html">
netfilter</A> firewall code in newer kernels</LI>
<LI><A href="http://www.ds9a.nl/2.4Networking/HOWTO//cvs/2.4routing/output/2.4networking.html">
2.4  networking</A> HowTo</LI>
<LI><A href="http://www.ds9a.nl/2.4Networking/HOWTO//cvs/2.4routing/output/2.4routing.html">
2.4  routing</A> HowTo</LI>
</UL>
<H3><A name="linsec">Security for Linux</A></H3>
<UL>
<LI><A href="http://metalab.unc.edu/LDP/HOWTO/Security-HOWTO.html">
Security  HOWTO</A></LI>
<LI>Linux Security <A href="http://www.securityportal.com/lskb/kben00000001.html">
Knowledge Base</A></LI>
<LI><A href="http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html#trinityos">
Trinity  OS guide to setting up Linux</A></LI>
<LI><A href="https://www.seifried.org/lasg/">Linux Administrator's 
 Security Guide</A></LI>
<LI><A href="http://www.ecst.csuchico.edu/~jtmurphy/">Linux security</A>
 page</LI>
<LI><A href="http://www.deter.com/unix">Unix security</A> page</LI>
<LI><A href="http://linux01.gwdg.de/~alatham/">PPDD</A> encrypting 
 filesystem</LI>
<LI><A href="http://fachschaft.physik.uni-bielefeld.de/leute/marc/Encryption-HOWTO/">
Linux  Encryption HowTo</A> This does not cover FreeS/WAN (or didn't 
when I  last checked, April 2000), only gives a pointer to our web 
site, but  does have some good information on other things.</LI>
</UL>
<H3><A name="firewall.linux">Linux firewalls</A></H3>
<UL>
<LI><A href="http://rlz.ne.mediaone.net/linux">Linux Firewall  page</A></LI>
<LI><A href="http://ipmasq.cjb.net/">IP Masquerade resource page</A></LI>
<LI><A href="http://www.rustcorp.com/linux/ipchains">IP chains</A>, the 
 firewall code in 2.2 kernels.</LI>
<LI><A href="http://netfilter.kernelnotes.org/unreliable-guides/index.html">
netfilter</A> firewall code in kernels from 2.3.15 on</LI>
<LI>Our list of general <A href="#firewall">firewall references</A> on 
the  web</LI>
<LI><A href="http://users.dhp.com/~whisper/mason/">Mason</A>, a tool 
for  automatically configuring Linux firewalls</LI>
<LI><A href="http://seawall.sourceforge.net/">Seattle Firewall</A>
 tools for  building a firewall using ipchains and FreeS?WAN </LI>
<LI>the web cache software <A href="http://www.squid-cache.org/">squid</A>
 and <A href="http://www.squidguard.org/">squidguard</A> which turns 
 Squid into a filtering web proxy</LI>
</UL>
<H3><A name="linux.misc">Miscellaneous Linux information</A></H3>
<UL>
<LI><A href="http://lwn.net/current/dists.php3">List of Linux 
distribution  vendors</A></LI>
<LI>FAQ for the <A href="http://www.miscellaneous.net/linux/linux-admin-FAQ/linux-admin-FAQ-1.html">
 Linux adminstration</A> mailing list</LI>
<LI>A web page about PPTP for Linux with a list of other <A href="http://www.moretonbay.com/vpn/pptp.html">
Linux VPN</A> software</LI>
</UL>
<H2><A name="crypto.link">Crypto and security links</A></H2>
<H3><A name="security">Crypto and security resources</A></H3>
<H4><A name="std.links">The standard link collections</A></H4>
<P>Two enormous collections of links, each the standard reference in 
its  area:</P>
<DL>
<DT>Gene Spafford's <A href="http://www.cerias.purdue.edu/coast/hotlist/">
COAST hotlist</A></DT>
<DD>Computer and network security.</DD>
<DT>Peter Gutmann's <A href="http://www.cs.auckland.ac.nz/~pgut001/links.html">
Encryption and  Security-related Resources</A></DT>
<DD>Cryptography.</DD>
</DL>
<H4><A name="FAQ">Frequently Asked Question (FAQ) documents</A></H4>
<UL>
<LI><A href="http://www.faqs.org/faqs/cryptography-faq/">Cryptography 
 FAQ</A></LI>
<LI><A href="http://www.interhack.net/pubs/fwfaq">Firewall FAQ</A></LI>
<LI>A FAQ listing computer security <A href="">mailing lists</A></LI>
<LI><A href="http://www.whitefang.com/sup/secure-faq.html">Secure Unix 
 Programming FAQ</A></LI>
<LI>FAQs for specific programs are listed in the <A href="#tools">tools</A>
 section below.</LI>
</UL>
<H4><A name="cryptover">Tutorials</A></H4>
<UL>
<LI>Gary Kessler's <A href="http://www.garykessler.net/library/crypto.html">
Overview of  Cryptography</A></LI>
<LI>Terry Ritter's <A href="http://www.io.com/~ritter/LEARNING.HTM">
introduction</A></LI>
<LI>Kurt Seifried's online <A href="http://www.securityportal.com/research/cryptodocs/basic-book/">
introductory  book</A></LI>
<LI>Peter Gutman's <A href="http://www.cs.auckland.ac.nz/~pgut001/tutorial/index.html">
cryptography</A> tutorial (500 slides in PDF format)</LI>
<LI>Amir Herzberg of IBM's sildes for his course <A href="http://www.hrl.il.ibm.com/mpay/course.html">
Introduction to  Cryptography and Electronic Commerce</A></LI>
<LI>the <A href="http://www.gnupg.org/gph/en/manual/c173.html">concepts 
 section</A> of the <A href="#GPG">GNU Privacy Guard</A> documentation</LI>
<LI>Bruce Schneier's self-study <A href="http://www.counterpane.com/self-study.html">
cryptanalysis</A> course</LI>
</UL>
<P>See also the <A href="#interesting">interesting papers</A> section 
 below.</P>
<H4><A name="standards">Crypto and security standards</A></H4>
<UL>
<LI><A href="http://csrc.nist.gov/cc">Common Criteria</A>, new 
 international computer and network security standards to replace the 
 &quot;Rainbow&quot; series</LI>
<LI>AES <A href="http://csrc.nist.gov/encryption/aes/aes_home.htm">
 Advanced Encryption Standard </A> which will replace DES</LI>
<LI><A href="http://grouper.ieee.org/groups/1363">IEEE P-1363 public 
key  standard</A></LI>
<LI>our collection of links for the <A href="#ipsec.link">IPSEC</A>
 standards</LI>
<LI>history of <A href="http://www.visi.com/crypto/evalhist/index.html">
formal  evaluation</A> of security policies and implementation</LI>
</UL>
<H3><A name="policy">Cryptography law and policy</A></H3>
<H4><A name="legal">Surveys of crypto law</A></H4>
<UL>
<LI>International survey of <A href="http://cwis.kub.nl/~FRW/PEOPLE/koops/lawsurvy.htm">
 crypto  law</A>.</LI>
<LI>International survey of <A href="http://rechten.kub.nl/simone/ds-lawsu.htm">
 digital signature  law</A></LI>
</UL>
<H4><A name="oppose">Organisations opposing crypto restrictions</A></H4>
<UL>
<LI>The <A href="#EFF">EFF</A>'s archives on <A href="http://www.eff.org/pub/Privacy/">
privacy</A> and <A href="http://www.eff.org/pub/Privacy/ITAR_export/">
export  control</A>.</LI>
<LI><A href="www.gilc.org">Global Internet Liberty Campaign</A></LI>
<LI><A href="http://www.cdt.org/crypto">Center for Democracy and 
 Technology</A></LI>
<LI><A href="http://www.privacyinternational.org/">Privacy 
 International</A>, who give out <A href="http://www.bigbrotherawards.org/">
Big Brother Awards</A> to snoopy  organisations</LI>
</UL>
<H4><A name="other.policy">Other information on crypto policy</A></H4>
<UL>
<LI><A href="http://info.internet.isi.edu:80/in-notes/rfc/files/rfc1984.txt">
RFC  1984</A>, the <A href="#IAB">IAB</A> and <A href="#IESG">IESG</A>
 Statement on Cryptographic Technology and the Internet.</LI>
<LI>John Young's collection of <A href="http://jya.com/crypto.htm">
documents</A> of interest to the  cryptography, open government and 
privacy movements, organized  chronologically</LI>
<LI>Encryption, Privacy and Security <A href="http://www.crypto.com">
Resource Page</A> with a mainly US  focus</LI>
<LI><A href="ftp://ftp.cygnus.com/pub/export/export.html">Cryptography 
 Export Control Archive</A>, mainly links to court and govenment 
 documents on various challenges to US law</LI>
<LI>A good <A href="http://cryptome.org/crypto97-ne.htm">overview</A>
 of  the issues from Australia.</LI>
</UL>
<P>See also our documentation section on the <A href="politics.html">
history and  politics</A> of cryptography.</P>
<H3><A name="crypto.tech">Cryptography technical information</A></H3>
<H4><A name="cryptolinks">Collections of crypto links</A></H4>
<UL>
<LI><A href="http://www.counterpane.com/hotlist.html">Counterpane</A></LI>
<LI><A href="http://www.cs.auckland.ac.nz/~pgut001/links.html">Peter 
 Gutman's links</A></LI>
<LI><A href="http://home.cyber.ee/helger/crypto/">Helger Lipmaa's  links</A>
</LI>
<LI><A href="http://www.pca.dfn.de/eng/team/ske/pem-dok.html">PKI  links</A>
</LI>
<LI><A href="http://crypto.yashy.com/www/">Robert Guerra's links</A></LI>
</UL>
<H4><A name="papers">Lists of online cryptography papers</A></H4>
<UL>
<LI><A href="http://www.counterpane.com/biblio">Counterpane</A></LI>
<LI><A href="http://www.cryptography.com/resources/papers">
cryptography.com</A></LI>
<LI><A href="http://www.cryptosoft.com/html/secpub.htm">Cryptosoft</A></LI>
</UL>
<H4><A name="interesting">Particularly interesting papers</A></H4>
<P>These papers emphasize important issues around the use of 
cryptography,  and the design and management of secure systems.</P>
<UL>
<LI><A href="http://www.counterpane.com/keylength.html">Key length 
 requirements for security</A></LI>
<LI><A href="http://www.cl.cam.ac.uk/users/rja14/wcf.html">Why 
 Cryptosystems Fail</A></LI>
<LI><A href="http://www.cdt.org/crypto/risks98/">Risks of escrowed 
 encryption</A></LI>
<LI><A href="http://www.counterpane.com/pitfalls.html">Security 
pitfalls  in cryptography</A></LI>
<LI><A href="http://www.acm.org/classics/sep95">Reflections on Trusting 
 Trust</A>, Ken Thompson on Trojan horse design</LI>
<LI><A href="http://www.apache-ssl.org/disclosure.pdf">Security against 
Compelled  Disclosure</A>, how to maintain privacy in the face of legal 
or other coersion </LI>
</UL>
<H3><A name="compsec">Computer and network security</A></H3>
<H4><A name="seclink">Security links</A></H4>
<UL>
<LI><A href="http://www.cs.purdue.edu/coast/hotlist">COAST  Hotlist</A></LI>
<LI>DMOZ open directory project <A href="http://dmoz.org/Computers/Security/">
computer security</A> links</LI>
<LI><A href="http://www.telstra.com.au/info/security.html">Telstra</A></LI>
<LI><A href="http://www-cse.ucsd.edu/users/bsy/sec.html">Bennet  Yee</A></LI>
<LI><A href="http://www.excelmail.com">Email Security and PKI  Documents</A>
</LI>
<LI><A href="http://www.opensec.net/">Open SEC</A>, a link farm full of 
 links to freely available security tools</LI>
<LI>Mike Fuhr's <A href="http://www.fuhr.org/~mfuhr/computers/security.html">
link collection</A></LI>
<LI><A href="http://www.networkintrusion.co.uk/">links</A> with an 
emphasis on intrusion  detection </LI>
</UL>
<H4><A name="firewall3">Firewall links</A></H4>
<UL>
<LI><A href="http://www.cs.purdue.edu/coast/firewalls">COAST  firewalls</A>
</LI>
<LI><A href="http://www.zeuros.co.uk">Firewalls Resource page</A></LI>
<LI><A href="http://www.digital.de/~jmh/fw-stuff.html">Firewall info 
 list</A></LI>
<LI><A href="http://www.idx.com.au/~amilev/Firewalls1.htm">Ami 
 Levartovsky</A></LI>
</UL>
<H4><A name="vpn">VPN links</A></H4>
<UL>
<LI><A href="http://www.vpnc.org">VPN Consortium</A></LI>
<LI>First VPN's <A href="http://www.firstvpn.com/research/rhome.html">
white paper</A> collection</LI>
<LI>oddsites.com <A href="http://www.oddsites.com/vpn/">VPN links</A></LI>
</UL>
<H4><A name="tools">Security tools</A></H4>
<UL>
<LI><A href="http://www.opensec.net/">Open SEC</A>, a link farm full of 
 links to freely available security tools</LI>
<LI>PGP -- mail encryption 
<UL>
<LI><A href="http://www.pgp.com/">PGP Inc.</A> (part of NAI) for 
 commercial versions</LI>
<LI><A href="http://web.mit.edu/network/pgp.html">MIT</A> distributes 
 the NAI product for non-commercial use</LI>
<LI><A href="http://www.pgpi.org/">international</A> distribution  site</LI>
<LI><A href="http://gnupg.org">GNU Privacy Guard (GPG)</A></LI>
<LI><A href="http://www.dk.pgp.net/pgpnet/pgp-faq/">PGP FAQ</A></LI>
</UL>
 A message in our mailing list archive has considerable detail on <A href="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/12/msg00029.html">
 available versions</A> of PGP and on IPSEC support in them. </LI>
<P><STRONG> Note:</STRONG> A fairly nasty bug exists in all commercial 
PGP  versions from 5.5 through 6.5.3. If you have one of those, read 
the <A href="http://www.pgp.com/other/advisories/adk.asp"> security 
advisory</A> and <STRONG>upgrade now</STRONG>. </P>
<LI>SSH -- secure remote login 
<UL>
<LI><A href="www.ssh.fi">SSH Communications Security</A>, for the 
 original software. It is free for trial, academic and non-commercial 
 use.</LI>
<LI><A href="http://www.openssh.com/">Open SSH</A>, the Open BSD 
 team's free replacement</LI>
<LI><A href="http://www.freessh.org/">freessh.org</A>, links to free 
 implementations for many systems</LI>
<LI><A href="http://www.uni-karlsruhe.de/~ig25/ssh-faq">SSH  FAQ</A></LI>
<LI><A href="http://www.chiark.greenend.org.uk/~sgtatham/putty/">Putty</A>
, an SSH client for Windows </LI>
</UL>
</LI>
<LI><A name="ssmail">ssmail -- sendmail patched to do <A href="carpediem">
opportunistic encryption</A>
<UL>
<LI><A href="http://www.home.aone.net.au/qualcomm/">web page</A> with 
 links to code and to a Usenix paper describing it, in PDF</LI>
</UL>
</A></LI>
<LI><A href="ftp://ftp.cert.org/pub/tools/cops">COPS</A> Computer 
Oracle  and Password System; tests a system for various weaknesses</LI>
<LI><A href="http://www.fish.com/~zen/satan/satan.html">SATAN</A>
 System  Administrators Tool for Analysing Networks</LI>
<LI><A href="http://www.insecure.org/nmap/">NMAP</A> Network Mapper</LI>
<LI><A href="http://ita.ee.lbl.gov/index.html">Internet Traffic  Archive</A>
, various tools to analyze network traffic, mostly scripts to  organise 
and format tcpdump(8) output for specific purposes</LI>
<LI><A href="ftp://ftp.porcupine.org/pub/security/index.html">Wietse 
 Venema's page</A> with various tools</LI>
<LI><A href="ftp://ftp.cert.org/pub/tools/crack">Crack</A> password 
 cracker</LI>
<LI><A href="ftp://coast.cs.purdue.edu/pub/COAST/Tripwire">Tripwire</A>
 saves message digests of your system files. Re-calculate the digests 
and  compare to saved values to detect any file changes.</LI>
<LI><A href="http://all.net/dtk.html">Deception Toolkit</A>, a 
collection  of &quot;honeypot&quot; servers which emulate widely exploited 
weaknesses while  logging the attacks.</LI>
<LI><A href="http://www.openca.org/">Open CA</A> project to develop a 
 freely distributed <A href="#CA">Certification Authority</A> for 
 building a open <A href="#PKI">Public Key Infrastructure</A>.</LI>
<LI><A href="http://expert.cc.purdue.edu/~frantzen/">ISIC</A>, <STRONG>
 IP</STRONG><STRONG> s</STRONG>tack <STRONG>i</STRONG>ntegrity <STRONG>
 c</STRONG>hecker, generates legitmate and bogus packets &quot;to test  the 
stability of an IP Stack and its component stacks (TCP, UDP, ICMP  et. 
al.)&quot;</LI>
</UL>
<H3><A name="people">Links to home pages</A></H3>
<P> David Wagner at Berkeley provides a set of links to <A href="http://www.cs.berkeley.edu/~daw/people/crypto.html">
home pages</A> of cryptographers, cypherpunks and computer security 
people.</P>
<HR>
<H1><A name="ourgloss">Glossary for the Linux FreeS/WAN project</A></H1>
<P> Entries are in alphabetical order. Some entries are only one line 
or one paragraph long. Others run to several paragraphs. I have tried 
to put the essential information in the first paragraph so you can skip 
the other paragraphs if that seems appropriate.</P>
<HR>
<H2><A name="jump">Jump to a letter in the glossary</A></H2>
<CENTER><BIG><B><A href="#0"> numeric</A><A href="#A"> A</A><A href="#B">
 B</A><A href="#C"> C</A><A href="#D"> D</A><A href="#E"> E</A><A href="#F">
 F</A><A href="#G"> G</A><A href="#H"> H</A><A href="#I"> I</A><A href="#J">
 J</A><A href="#K"> K</A><A href="#L"> L</A><A href="#M"> M</A><A href="#N">
 N</A><A href="#O"> O</A><A href="#P"> P</A><A href="#Q"> Q</A><A href="#R">
 R</A><A href="#S"> S</A><A href="#T"> T</A><A href="#U"> U</A><A href="#V">
 V</A><A href="#W"> W</A><A href="#X"> X</A><A href="#Y"> Y</A><A href="#Z">
 Z</A></B></BIG></CENTER>
<HR>
<H2><A name="gloss">Other glossaries</A></H2>
<P>Other glossaries which overlap this one include:</P>
<UL>
<LI>The VPN Consortium's glossary of <A href="http://www.vpnc.org/terms.html">
VPN terms</A>.</LI>
<LI>glossary portion of the <A href="http://www.rsa.com/rsalabs/faq/html/glossary.html">
Cryptography  FAQ</A></LI>
<LI>an extensive crytographic glossary on <A href="http://www.io.com/~ritter/GLOSSARY.HTM">
Terry Ritter's</A> page.</LI>
<LI>The <A href="#NSA">NSA</A>'s <A href="http://www.sans.org/newlook/resources/glossary.htm">
glossary of  computer security</A> on the <A href="http://www.sans.org">
SANS  Institute</A> site.</LI>
<LI>an <A href="http://www.ietf.org/internet-drafts/draft-shirey-security-glossary-01.txt">
Internet  Draft</A> Crypto Glossary</LI>
<LI>a small glossary for Internet Security at <A href="http://www5.zdnet.com/pcmag/pctech/content/special/glossaries/internetsecurity.html">
 PC magazine</A></LI>
<LI>The <A href="http://www.visi.com/crypto/inet-crypto/glossary.html">
glossary</A> from Richard Smith's book <A href="#Smith">Internet 
 Cryptography</A></LI>
</UL>
<P>Three Internet glossaries are available as RFCs:</P>
<UL>
<LI><A href="http://www.rfc-editor.org/rfc/rfc1208.txt">Glossary of 
 Networking Terms</A></LI>
<LI><A href="http://www.rfc-editor.org/rfc/rfc1983.txt">Internet User's 
 Glossary</A></LI>
<LI><A href="http://www.rfc-editor.org/rfc/rfc2828.txt">Internet 
Security  Glossary</A></LI>
</UL>
<P>More general glossary or dictionary information:</P>
<UL>
<LI>Free Online Dictionary of Computing (FOLDOC) 
<UL>
<LI><A href="http://www.nightflight.com/foldoc">North America</A></LI>
<LI><A href="http://wombat.doc.ic.ac.uk/foldoc/index.html">Europe</A></LI>
<LI><A href="http://www.nue.org/foldoc/index.html">Japan</A></LI>
</UL>
</LI>
<P>There are many more mirrors of this dictionary.</P>
<LI><A href="http://hissa.ncsl.nist.gov/~black/CRCDict/">CRC dictionary 
of  Computer Science</A></LI>
<LI>The Jargon File, the definitive resource for hacker slang and 
folklore 
<UL>
<LI><A href="http://www.netmeg.net/jargon">North America</A></LI>
<LI><A href="http://info.wins.uva.nl/~mes/jargon/">Holland</A></LI>
<LI><A href="http://www.tuxedo.org/~esr/jargon">home page</A></LI>
</UL>
</LI>
<P>There are also many mirrors of this. See the home page for a list.</P>
<LI>A general <A href="http://www.trinity.edu/~rjensen/245glosf.htm#Navigate">
 technology  glossary</A></LI>
<LI>An <A href="http://www.yourdictionary.com/">online  dictionary 
resource page</A> with pointers to many dictionaries for many  languages</LI>
<LI>A <A href="http://www.onelook.com/">search engine</A> that accesses 
 several hundred online dictionaries</LI>
<LI>O'Reilly <A href="http://www.ora.com/reference/dictionary/">
Dictionary  of PC Hardware and Data Communications Terms</A></LI>
</UL>
<P>Internet encyclopedias include:</P>
<UL>
<LI><A href="http://www.FreeSoft.org/CIE/index.htm">Connected</A></LI>
<LI><A href="http://www.whatis.com/">whatis.com</A></LI>
</UL>
<HR>
<H2><A name="definitions">Definitions</A></H2>
<DL>
<DT><A name="3DES"><A name="0">3DES (Triple DES)</A></A></DT>
<DD>Using three <A href="#DES">DES</A> encryptions on a single data 
 block, with at least two different keys, to get higher security than 
 is available from a single DES pass. The three-key version of 3DES is 
 the default encryption algorithm for <A href="#FreeSWAN">Linux 
 FreeS/WAN</A>. </DD>
<P><A href="#IPSEC">IPSEC</A> always does 3DES with three different 
 keys, as required by RFC 2451. For an explanation of the two-key 
 variant, see <A href="#2key">two key triple DES</A>. Both use an <A href="#EDE">
EDE</A> encrypt-decrypt-encrpyt sequence of  operations.</P>
<P>Single <A href="#DES">DES</A> is <A href="#desnotsecure">insecure</A>
.</P>
<P>Double DES is ineffective. Using two 56-bit keys, one might expect 
 an attacker to have to do 2<SUP>112</SUP> work to break it. In fact, 
 only 2<SUP>57</SUP> work is required with a <A href="#meet">
meet-in-the-middle attack</A>, though a large amount of  memory is also 
required. Triple DES is vulnerable to a similar attack,  but that just 
reduces the work factor from the 2<SUP>168</SUP> one  might expect to 2<SUP>
112</SUP>. That provides adequate protection  against <A href="#brute">
brute force</A> attacks, and no better attack  is known.</P>
<P>3DES can be somewhat slow compared to other ciphers. It requires 
 three DES encryptions per block. DES was designed for hardware 
 implementation and includes some operations which are difficult in 
 software. However, the speed we get is quite acceptable for many uses. 
 See <A href="#benchmarks">benchmarks</A> below for details.</P>
<DT><A name="A">A</A></DT>
<DT><A name="active"><A name="A">Active attack</A></A></DT>
<DD>An attack in which the attacker does not merely eavesdrop (see <A href="#passive">
passive attack</A>) but takes action to change,  delete, reroute, add, 
forge or divert data. Perhaps the best-known  active attack is <A href="#middle">
man-in-the-middle</A>. In general, <A href="#authentication">
 authentication</A> is a useful defense  against active attacks.</DD>
<DT><A name="AES">AES</A></DT>
<DD>The <B>A</B>dvanced <B>E</B>ncryption <B>S</B>tandard, a new <A href="#block">
block cipher</A> standard to replace <A href="#desnotsecure">DES</A>
 being developed by <A href="#NIST">NIST</A>, the US National Institute 
of Standards and  Technology. DES used 64-bit blocks and a 56-bit key. 
AES ciphers use a  128-bit block and are required to support 128, 192 
and 256-bit keys.  Some of them support other sizes as well. The larger 
block size helps  resist <A href="#birthday">birthday attacks</A> while 
the large key  size prevents <A href="#brute">brute force attacks</A>. </DD>
<P>Fifteen proposals meeting NIST's basic criteria were submitted in 
 1998 and subjected to intense discussion and analysis, &quot;round one&quot; 
 evaluation. In August 1999, NIST narrowed the field to five &quot;round 
 two&quot; candidates:</P>
<UL>
<LI><A href="http://www.research.ibm.com/security/mars.html">Mars</A>
 from IBM</LI>
<LI><A href="http://www.rsa.com/rsalabs/aes/">RC6</A> from RSA</LI>
<LI><A href="http://www.esat.kuleuven.ac.be/~rijmen/rijndael/">Rijndael</A>
 from two Belgian researchers</LI>
<LI><A href="http://www.cl.cam.ac.uk/~rja14/serpent.html">Serpent</A>, 
a  British-Norwegian-Israeli research collaboration</LI>
<LI><A href="http://www.counterpane.com/twofish.html">Twofish</A> from 
the consulting firm Counterpane</LI>
</UL>
<P> In October 2000, NIST announced the winner -- Rijndael.</P>
<P>Adding one or more AES ciphers to <A href="#FreeSWAN">Linux 
 FreeS/WAN</A> would be useful undertaking, and considerable freely 
 available code exists to start from. One complication is that our code 
 is built for a 64-bit block cipher and AES uses a 128-bit block. 
 Volunteers via the <A href="#list">mailing lists</A> would be  welcome.</P>
<P>For more information, see the <A href="http://csrc.nist.gov/encryption/aes/aes_home.htm">
 NIST AES home  page</A> or the <A href="http://www.ii.uib.no/~larsr/aes.html">
 Block  Cipher Lounge AES page</A>. For code and benchmarks see <A href="http://www.btinternet.com/~brian.gladman/">
 Brian Gladman's page </A> .</P>
<DT><A name="AH">AH</A></DT>
<DD>The <A href="#IPSEC">IPSEC</A><B> A</B>uthentication <B>H</B>eader, 
 added after the IP header. For details, see our <A href="#overview">
IPSEC Overview</A> document and/or RFC 2402.</DD>
<DT><A name="alicebob">Alice and Bob</A></DT>
<DD>A and B, the standard example users in writing on cryptography and 
 coding theory. Carol and Dave join them for protocols which require 
 more players. </DD>
<P><A href="#schneier">Bruce Schneier</A> extends these with many 
 others such as Eve the Eavesdropper and Victor the Verifier. His 
 extensions seem to be in the process of becoming standard as well. See 
 page 23 of <A href="#schneier"> Applied Cryptography</A></P>
<P>Alice and Bob have an amusing <A href="http://www.conceptlabs.co.uk/alicebob.html">
 biography</A> on  the web.</P>
<DT>ARPA</DT>
<DD>see <A href="#DARPA">DARPA</A></DD>
<DT><A name="ASIO">ASIO</A></DT>
<DD>Australian Security Intelligence Organisation.</DD>
<DT>Asymmetric cryptography</DT>
<DD>See <A href="#public">public key cryptography</A>.</DD>
<DT><A name="authentication">Authentication</A></DT>
<DD>Ensuring that a message originated from the expected sender and has 
 not been altered on route. <A href="#IPSEC">IPSEC</A> uses 
 authentication in two places: </DD>
<P>
<UL>
<LI>peer authentication, authenticating the players in <A href="#IKE">
IKE</A>'s <A href="#DH">Diffie-Hellman</A> key  exchanges to prevent <A href="#middle">
man-in-the-middle  attacks</A>. This can be done in a number of ways. 
The methods  supported by FreeS/WAN are discussed in our <A href="#choose">
configuration</A> document.</LI>
<LI>packet authentication, authenticating packets on an established <A href="#SA">
 SA</A>, either with a separate <A href="#AH">authentication header</A>
 or with the optional  authentication in the <A href="#ESP">ESP</A>
 protocol. In either  case, packet authentication uses a <A href="#HMAC">
hashed message  athentication code</A> technique.</LI>
</UL>
<P>Outside IPSEC, passwords are perhaps the most common authentication 
 mechanism. Their function is essentially to authenticate the person's 
 identity to the system. Passwords are generally only as secure as the 
 network they travel over. If you send a cleartext password over a 
 tapped phone line or over a network with a packet sniffer on it, the 
 security provided by that password becomes zero. Sending an encrypted 
 password is no better; the attacker merely records it and reuses it at 
 his convenience. This is called a <A href="#replay">replay</A> attack.</P>
<P>A common solution to this problem is a <A href="#challenge">
challenge-response</A> system. This defeats simple  eavesdropping and 
replay attacks. Of course an attacker might still  try to break the 
cryptographic algorithm used, or the <A href="#random"> random number</A>
 generator.</P>
<DT><A name="auto">Automatic keying</A></DT>
<DD>A mode in which keys are automatically generated at connection 
 establisment and new keys automaically created periodically 
 thereafter. Contrast with <A href="#manual">manual keying</A> in which 
 a single stored key is used. </DD>
<P>IPSEC uses the <A href="#DH">Diffie-Hellman key exchange  protocol</A>
 to create keys. An <A href="authentication">authentication</A>
 mechansim is required for  this. The methods supported by FreeS/WAN 
are discussed in our <A href="#choose">configuration</A> document.</P>
<P>Having an attacker break the authentication is emphatically not a 
 good idea. An attacker that breaks authentication, and manages to 
 subvert some other network entities (DNS, routers or gateways), can 
 use a <A href="#middle">man-in-the middle attack</A> to break the 
 security of your IPSEC connections.</P>
<P>However, having an attacker break the authentication in automatic 
 keying is not quite as bad as losing the key in manual keying.</P>
<UL>
<LI>An attacker who reads /etc/ipsec.conf and gets the keys for a 
 manually keyed connection can, without further effort, read all 
 messages encrypted with those keys, including any old messages he  may 
have archived.</LI>
<LI>Automatic keying has a property called <A href="#PFS">perfect 
 forward secrecy</A>. An attacker who breaks the authentication  gets 
none of the automatically generated keys and cannot  immediately read 
any messages. He has to mount a successful <A href="#middle">
man-in-the-middle attack</A> in real time before he  can read anything. 
He cannot read old archived messages at all and  will not be able to 
read any future messages not caught by  man-in-the-middle tricks.</LI>
</UL>
<P>That said, the secrets used for authentication, stored in <A href="manpage.d/ipsec.secrets.5.html">
ipsec.secrets(5)</A>, should  still be protected as tightly as 
cryptographic keys.</P>
<DT><A name="B">B</A></DT>
<DT><A href="http://www.nortelnetworks.com">Bay  Networks</A></DT>
<DD>A vendor of routers, hubs and related products, now a subsidiary of 
 Nortel. Interoperation between their IPSEC products and Linux 
 FreeS/WAN was problematic at last report; see our <A href="#bay">
interoperation</A> section.</DD>
<DT><A name="benchmarks">benchmarks</A></DT>
<DD>Our default block cipher, <A href="#3DES">triple DES</A>, is slower 
 than many alternate ciphers that might be used. Speeds achieved, 
 however, seem adequate for many purposes. For example, the assembler 
 code from the <A href="#LIBDES">LIBDES</A> library we use encrypts 1.6 
 megabytes per second on a Pentium 200, according to the test program 
 supplied with the library. </DD>
<P> For more detail, see our document on <A href="performance.html">
FreeS/WAN performance</A>. </P>
<DT><A name="BIND">BIND</A></DT>
<DD><B>B</B>erkeley <B>I</B>nternet <B>N</B>ame <B>D</B>aemon, a widely 
 used implementation of <A href="#DNS">DNS</A> (Domain Name Service). 
 See our bibliography for a <A href="#DNS">useful reference</A>. See 
 the <A href="http://www.isc.org/bind.html">BIND home page</A> for more 
 information and the latest version.</DD>
<DT><A name="birthday">Birthday attack</A></DT>
<DD>A cryptographic attack based on the mathematics exemplified by the <A
href="#paradox"> birthday paradox</A>. This math turns up whenever  the 
question of two cryptographic operations producing the same result 
 becomes an issue: 
<UL>
<LI><A href="#collision">collisions</A> in <A href="#digest">message 
 digest</A> functions.</LI>
<LI>identical output blocks from a <A href="#block">block  cipher</A></LI>
<LI>repetition of a challenge in a <A href="#challenge">
challenge-response</A> system</LI>
</UL>
</DD>
<P>Resisting such attacks is part of the motivation for:</P>
<UL>
<LI>hash algorithms such as <A href="#SHA">SHA</A> and <A href="#RIPEMD">
RIPEMD-160</A> giving a 160-bit result rather than  the 128 bits of <A href="#MD4">
MD4</A>, <A href="#MD5">MD5</A> and <A href="#RIPEMD"> RIPEMD-128</A>.</LI>
<LI><A href="#AES">AES</A> block ciphers using a 128-bit block  instead 
of the 64-bit block of most current ciphers</LI>
<LI><A href="#IPSEC">IPSEC</A> using a 32-bit counter for packets  sent 
on an <A href="#auto">automatically keyed</A><A href="#SA"> SA</A> and 
requiring that the connection always be  rekeyed before the counter 
overflows.</LI>
</UL>
<DT><A name="paradox">Birthday paradox</A></DT>
<DD>Not really a paradox, just a rather counter-intuitive mathematical 
 fact. In a group of 23 people, the chance of a least one pair having 
 the same birthday is over 50%. </DD>
<P>The second person has 1 chance in 365 (ignoring leap years) of 
 matching the first. If they don't match, the third person's chances of 
 matching one of them are 2/365. The 4th, 3/365, and so on. The total 
 of these chances grows more quickly than one might guess.</P>
<DT><A name="block">Block cipher</A></DT>
<DD>A <A href="#symmetric">symmetric cipher</A> which operates on 
 fixed-size blocks of plaintext, giving a block of ciphertext for each. 
 Contrast with <A href="#stream"> stream cipher</A>. Block ciphers can 
 be used in various <A href="#mode">modes</A> when multiple block are 
 to be encrypted. </DD>
<P><A href="#DES">DES</A> is among the the best known and widely used 
 block ciphers, but is now obsolete. Its 56-bit key size makes it <A href="#desnotsecure">
highly insecure</A> today. <A href="#3DES">Triple  DES</A> is the 
default transform for <A href="#FreeSWAN">Linux  FreeS/WAN</A> because 
it is the only cipher which is both required in  the <A href="#RFC">RFCs</A>
 and apparently secure.</P>
<P>The current generation of block ciphers -- such as <A href="#Blowfish">
Blowfish</A>, <A href="#CAST128">CAST-128</A> and <A href="#IDEA">IDEA</A>
 -- all use 64-bit blocks and 128-bit keys. The  next generation, <A href="#AES">
AES</A>, uses 128-bit blocks and  supports key sizes up to 256 bits.</P>
<P>The <A href="http://www.ii.uib.no/~larsr/bc.html"> Block Cipher 
 Lounge</A> web site has more information.</P>
<DT><A name="Blowfish">Blowfish</A></DT>
<DD>A <A href="#block">block cipher</A> using 64-bit blocks and keys of 
 up to 448 bits, designed by <A href="#schneier">Bruce Schneier</A> and 
 used in several products. </DD>
<P>This is not required by the <A href="#IPSEC">IPSEC</A> RFCs and not 
 currently used in <A href="#FreeSWAN">Linux FreeS/WAN</A>.</P>
<DT><A name="brute">Brute force attack (exhaustive search)</A></DT>
<DD>Breaking a cipher by trying all possible keys. This is always 
 possible in theory (except against a <A href="#OTP">one-time pad</A>), 
 but it becomes practical only if the key size is inadequate. For an 
 important example, see our document on the <A href="#desnotsecure">
insecurity of DES</A> with its 56-bit key. For an  analysis of key 
sizes required to resist plausible brute force  attacks, see <A href="http://www.counterpane.com/keylength.html">
this  paper</A>. </DD>
<P>Longer keys protect against brute force attacks. Each extra bit in 
 the key doubles the number of possible keys and therefore doubles the 
 work a brute force attack must do. A large enough key defeats <STRONG>
 any</STRONG> brute force attack.</P>
<P>For example, the EFF's <A href="#EFF">DES Cracker</A> searches a 
 56-bit key space in an average of a few days. Let us assume an 
 attacker that can find a 64-bit key (256 times harder) by brute force 
 search in a second (a few hundred thousand times faster). For a 96-bit 
 key, that attacker needs 2<SUP>32</SUP> seconds, just over a century. 
 Against a 128-bit key, he needs 2<SUP>32</SUP> centuries or about 
 400,000,000,000 years. Your data is then obviously secure against 
 brute force attacks. Even if our estimate of the attacker's speed is 
 off by a factor of a million, it still takes him 400,000 years to 
 crack a message.</P>
<P>This is why</P>
<UL>
<LI>single <A href="#DES">DES</A> is now considered <A href="#desnotsecure">
dangerously insecure</A></LI>
<LI>all of the current generation of <A href="#block">block  ciphers</A>
 use a 128-bit or longer key</LI>
<LI><A href="#AES">AES</A> ciphers support keysizes 128, 192 and 256 
 bits</LI>
<LI>any cipher we add to Linux FreeS/WAN will have <EM>at least</EM> a 
128-bit key</LI>
</UL>
<P><STRONG>Cautions:</STRONG>
<BR><EM> Inadequate keylength always indicates a weak cipher</EM> but 
it is  important to note that <EM>adequate keylength does not 
necessarily  indicate a strong cipher</EM>. There are many attacks 
other than brute  force, and adequate keylength <EM>only</EM>
 guarantees resistance to  brute force. Any cipher, whatever its key 
size, will be weak if design  or implementation flaws allow other 
attacks.</P>
<P>Also, <EM>once you have adequate keylength</EM> (somewhere around 
 90 or 100 bits), <EM>adding more key bits make no practical  difference</EM>
, even against brute force. Consider our 128-bit  example above that 
takes 400 billion years to break by brute force. Do  we care if an 
extra 16 bits of key put that into the quadrillions? No.  What about 16 
fewer bits reducing it to the 112-bit security level of <A href="#3DES">
 Triple DES</A>, which our example attacker could break  in just over a 
billion years? No again, unless we're being really  paranoid about 
safety margins.</P>
<P>There may be reasons of convenience in the design of the cipher to 
 support larger keys. For example <A href="#Blowfish">Blowfish</A>
 allows up to 448 bits and <A href="#RC4">RC4</A> up to 2048, but 
 beyond 100-odd bits it makes no difference to practical security.</P>
<DT>Bureau of Export Administration</DT>
<DD>see <A href="#BXA">BXA</A></DD>
<DT><A name="BXA">BXA</A></DT>
<DD>The US Commerce Department's <B>B</B>ureau of E<B>x</B>port <B> A</B>
dministration which administers the <A href="#EAR">EAR</A> Export 
Administration Regulations controling the export of, among  other 
things, cryptography.</DD>
<DT><A name="C">C</A></DT>
<DT><A name="CA"><A name="C">CA</A></A></DT>
<DD><B>C</B>ertification <B>A</B>uthority, an entity in a <A href="#PKI">
public key infrastructure</A> that can certify keys by  signing them. 
Usually CAs form a hierarchy. The top of this hierarchy  is called the <A
href="#rootCA">root CA</A>. </DD>
<P>See <A href="#web">Web of Trust</A> for an alternate model.</P>
<DT><A name="CAST128">CAST-128</A></DT>
<DD>A <A href="#block">block cipher</A> using 64-bit blocks and 128-bit 
 keys, described in RFC 2144 and used in products such as <A href="#Entrust">
Entrust</A> and recent versions of <A href="#PGP">PGP</A>. </DD>
<P>This is not required by the <A href="#IPSEC">IPSEC</A> RFCs and not 
 currently used in <A href="#FreeSWAN">Linux FreeS/WAN</A>.</P>
<DT>CAST-256</DT>
<DD><A href="#Entrust">Entrust</A>'s candidate cipher for the <A href="#AES">
AES standard</A>, largely based on the <A href="#CAST128">CAST-128</A>
 design.</DD>
<DT><A name="CBC">CBC mode</A></DT>
<DD><B>C</B>ipher <B>B</B>lock <B>C</B>haining <A href="#mode">mode</A>
,  a method of using a <A href="#block">block cipher</A> in which for 
 each block except the first, the result of the previous encryption is 
 XORed into the new block before it is encrypted. CBC is the mode used 
 in <A href="#IPSEC">IPSEC</A>. </DD>
<P>An <A href="#IV">initialisation vector</A> (IV) must be provided. 
 It is XORed into the first block before encryption. The IV need not be 
 secret but should be different for each message and unpredictable.</P>
<DT>Certification Authority</DT>
<DD>see <A href="#CA">CA</A></DD>
<DT><A name="mode">Cipher Modes</A></DT>
<DD>Different ways of using a block cipher when encrypting multiple 
 blocks. </DD>
<P>Four standard modes were defined for <A href="#DES">DES</A> in <A href="#FIPS">
FIPS</A> 81. They can actually be applied with any block  cipher.</P>
<TABLE><TBODY>
<TR><TD><TD><A href="#ECB">ECB</A></TD><TD>Electronic CodeBook</TD><TD>
encrypt each block independently</TD></TR>
<TR><TD><TD><A href="#CBC">CBC</A></TD><TD>Cipher Block Chaining
<BR></TD><TD>XOR previous block ciphertext into new block plaintext 
 before encrypting new block</TD></TR>
<TR><TD><TD>CFB</TD><TD>Cipher FeedBack</TD><TD></TR>
<TR><TD><TD>OFB</TD><TD>Output FeedBack</TD><TD></TR>
</TABLE>
<P><A href="#IPSEC">IPSEC</A> uses <A href="#CBC">CBC</A> mode since 
 this is only marginally slower than <A href="#ECB">ECB</A> and is more 
 secure. In ECB mode the same plaintext always encrypts to the same 
 ciphertext, unless the key is changed. In CBC mode, this does not 
 occur.</P>
<P>Various other modes are also possible, but none of them are used in 
 IPSEC.</P>
<DT><A name="challenge">Challenge-response authentication</A></DT>
<DD>An <A href="#authentication">authentication</A> system in which one 
 player generates a <A href="#random">random number</A>, encrypts it 
 and sends the result as a challenge. The other player decrypts and 
 sends back the result. If the result is correct, that proves to the 
 first player that the second player knew the appropriate secret, 
 required for the decryption. Variations on this technique exist using <A
href="#public"> public key</A> or <A href="#symmetric">symmetric</A>
 cryptography. Some provide two-way authentication, assuring each 
 player of the other's identity. </DD>
<P>This is more secure than passwords against two simple attacks:</P>
<UL>
<LI>If cleartext passwords are sent across the wire (e.g. for  telnet), 
an eavesdropper can grab them. The attacker may even be  able to break 
into other systems if the user has chosen the same  password for them.</LI>
<LI>If an encrypted password is sent, an attacker can record the 
 encrypted form and use it later. This is called a replay  attack.</LI>
</UL>
<P>A challenge-response system never sends a password, either 
 cleartext or encrypted.  An attacker cannot record the response to one 
 challenge and use it as a response to a later challenge. The random 
 number is different each time.</P>
<P>Of course an attacker might still try to break the cryptographic 
 algorithm used, or the <A href="#random">random number</A> generator.</P>
<DT><A name="ciphertext">Ciphertext</A></DT>
<DD>The encrypted output of a cipher, as opposed to the unencrypted <A href="#plaintext">
plaintext</A> input.</DD>
<DT><A href="http://www.cisco.com">Cisco</A></DT>
<DD>A vendor of routers, hubs and related products. Their IPSEC 
products  interoperate with Linux FreeS/WAN; see our <A href="#Cisco">
interop</A> section.</DD>
<DT><A name="client">Client</A></DT>
<DD>This term has at least two distinct uses in discussing IPSEC: 
<UL>
<LI>The <STRONG>clients of an IPSEC gateway</STRONG> are the  machines 
it protects, typically on one or more subnets behind the  gateway. In 
this usage, all the machines on an office network are  clients of that 
office's IPSEC gateway. Laptop or home machines  connecting to the 
office, however, are <EM>not</EM> clients of  that gateway. They are 
remote gateways, running the other end of  an IPSEC connection. Each of 
them is also its own client.</LI>
<LI><STRONG>IPSEC client software</STRONG> is used to describe 
 software which runs on various standalone machines to let them 
 connect to IPSEC networks. In this usage, a laptop or home machine 
 connecting to the office <EM>is</EM> a client machine.</LI>
</UL>
</DD>
<P>We generally use the term in the first sense. Vendors of Windows 
 IPSEC solutions often use it in the second.</P>
<DT>Conventional cryptography</DT>
<DD>See <A href="#symmetric">symmetric cryptography</A></DD>
<DT><A name="collision">Collision resistance</A></DT>
<DD>The property of a <A href="#digest">message digest</A> algorithm 
 which makes it hard for an attacker to find or construct two inputs 
 which hash to the same output.</DD>
<DT>Copyleft</DT>
<DD>see GNU <A href="#GPL">General Public License</A></DD>
<DT><A name="CSE">CSE</A></DT>
<DD><A href="http://www.cse-cst.gc.ca/cse/english/home_1.html">
Communications  Security Establishment</A>, the Canadian organisation 
for <A href="#SIGINT">signals intelligence</A>.</DD>
<DT><A name="D">D</A></DT>
<DT><A name="DARPA"><A name="D">DARPA (sometimes just ARPA)</A></A></DT>
<DD>The US government's <B>D</B>efense <B>A</B>dvanced <B>R</B>esearch <B>
 P</B>rojects <B>A</B>gency. Projects they have funded over the  years 
have included the Arpanet which evolved into the Internet, the  TCP/IP 
protocol suite (as a replacement for the original Arpanet  suite), the 
Berkeley 4.x BSD Unix projects, and <A href="#SDNS">Secure  DNS</A>. </DD>
<P>For current information, see their <A href="http://www.darpa.mil/ito">
web site</A>.</P>
<DT><A name="DOS">Denial of service (DoS) attack</A></DT>
<DD>An attack that aims at denying some service to legitimate users of 
a  system, rather than providing a service to the attacker. 
<UL>
<LI>One variant is a flooding attack, overwhelming the system with  too 
many packets, to much email, or whatever.</LI>
<LI>A closely related variant is a resource exhaustion attack. For 
 example, consider a &quot;TCP SYN flood&quot; attack. Setting up a TCP 
 connection involves a three-packet exchange: 
<UL>
<LI>Initiator: Connection please (SYN)</LI>
<LI>Responder: OK (ACK)</LI>
<LI>Initiator: OK here too</LI>
</UL>
</LI>
<P>If the attacker puts bogus source information in the first  packet, 
such that the second is never delivered, the responder may  wait a long 
time for the third to come back. If responder has  already allocated 
memory for the connection data structures, and  if many of these bogus 
packets arrive, the responder may run out  of memory.</P>
<LI>Another variant is to feed the system undigestible data, hoping  to 
make it sick. For example, IP packets are limited in size to  64K bytes 
and a fragment carries information on where it starts  within that 64K 
and how long it is. The &quot;ping of death&quot; delivers  fragments that say, 
for example, that they start at 60K and are  20K long. Attempting to 
re-assemble these without checking for  overflow can be fatal.</LI>
</UL>
</DD>
<P>The two example attacks discussed were both quite effective when 
 first discovered, capable of crashing or disabling many operating 
 systems. They were also well-publicised, and today far fewer systems 
 are vulnerable to them.</P>
<DT><A name="DES">DES</A></DT>
<DD>The <B>D</B>ata <B>E</B>ncryption <B>S</B>tandard, a <A href="#block">
block cipher</A> with 64-bit blocks and a 56-bit key.  Probably the 
most widely used <A href="#symmetric">symmetric  cipher</A> ever 
devised. DES has been a US government standard for  their own use (only 
for unclassified data), and for some regulated  industries such as 
banking, since the late 70's. </DD>
<P><A href="#desnotsecure">DES is seriously insecure against current 
 attacks.</A></P>
<P><A href="#FreeSWAN">Linux FreeS/WAN</A> does not include DES, even 
 though the RFCs specify it. <B>We strongly recommend that single DES 
 not be used.</B></P>
<P>See also <A href="#3DES">3DES</A> and <A href="#DESX">DESX</A>, 
 stronger ciphers based on DES.</P>
<DT><A name="DESX">DESX</A></DT>
<DD>An improved <A href="#DES">DES</A> suggested by Ron Rivest of RSA 
 Data Security. It XORs extra key material into the text before and 
 after applying the DES cipher. </DD>
<P>This is not required by the <A href="#IPSEC">IPSEC</A> RFCs and not 
 currently used in <A href="#FreeSWAN">Linux FreeS/WAN</A>. DESX would 
 be the easiest additional transform to add; there would be very little 
 code to write. It would be much faster than 3DES and almost certainly 
 more secure than DES. However, since it is not in the RFCs other IPSEC 
 implementations cannot be expected to have it.</P>
<DT>DH</DT>
<DD>see <A href="#DH">Diffie-Hellman</A></DD>
<DT><A name="DH">Diffie-Hellman (DH) key exchange protocol</A></DT>
<DD>A protocol that allows two parties without any initial shared 
secret  to create one in a manner immune to eavesdropping. Once they 
have done  this, they can communicate privately by using that shared 
secret as a  key for a block cipher or as the basis for key exchange. </DD>
<P>The protocol is secure against all <A href="#passive">passive 
 attacks</A>, but it is not at all resistant to active <A href="#middle">
man-in-the-middle attacks</A>. If a third party can  impersonate Bob to 
Alice and vice versa, then no useful secret can be  created. 
Authentication of the participants is a prerequisite for safe 
 Diffie-Hellman key exchange. IPSEC can use any of several <A href="#authentication">
authentication</A> mechanisims. Those supported  by FreeS/WAN are 
discussed in our <A href="#choose">configuration</A> section.</P>
<P>The Diffie-Hellman key exchange is based on the <A href="#dlog">
discrete logarithm</A> problem and is secure unless  someone finds an 
efficient solution to that problem.</P>
<P>Given a prime <VAR>p</VAR> and generator <VAR>g</VAR> (explained 
 under <A href="#dlog">discrete log</A> below), Alice:</P>
<UL>
<LI>generates a random number <VAR>a</VAR></LI>
<LI>calculates <VAR>A = g^a modulo p</VAR></LI>
<LI>sends <VAR>A</VAR> to Bob</LI>
</UL>
<P>Meanwhile Bob:</P>
<UL>
<LI>generates a random number <VAR>b</VAR></LI>
<LI>calculates <VAR>B = g^b modulo p</VAR></LI>
<LI>sends <VAR>B</VAR> to Alice</LI>
</UL>
<P>Now Alice and Bob can both calculate the shared secret <VAR>s = 
 g^(ab)</VAR>. Alice knows <VAR>a</VAR> and <VAR>B</VAR>, so she 
 calculates <VAR>s = B^a</VAR>. Bob knows <VAR>A</VAR> and <VAR>b</VAR>
 so he calculates <VAR>s = A^b</VAR>.</P>
<P>An eavesdropper will know <VAR>p</VAR> and <VAR>g</VAR> since these 
 are made public, and can intercept <VAR>A</VAR> and <VAR>B</VAR> but, 
 short of solving the <A href="#dlog">discrete log</A> problem, these 
 do not let him or her discover the secret <VAR>s</VAR>.</P>
<DT><A name="signature">Digital signature</A></DT>
<DD>Sender: 
<UL>
<LI>calculates a <A href="#digest">message digest</A> of a  document</LI>
<LI>encrypts the digest with his or her private key, using some <A href="#public">
public key cryptosystem</A>.</LI>
<LI>attaches the encrypted digest to the document as a  signature</LI>
</UL>
</DD>
<P>Receiver:</P>
<UL>
<LI>calculates a digest of the document (not including the  signature)</LI>
<LI>decrypts the signature with the signer's public key</LI>
<LI>verifies that the two results are identical</LI>
</UL>
<P>If the public-key system is secure and the verification succeeds, 
 then the receiver knows</P>
<UL>
<LI>that the document was not altered between signing and  verification</LI>
<LI>that the signer had access to the private key</LI>
</UL>
<P>Such an encrypted message digest can be treated as a signature 
 since it cannot be created without <EM>both</EM> the document <EM> and</EM>
 the private key which only the sender should possess. The <A href="#legal">
 legal issues</A> are complex, but several countries  are moving in the 
direction of legal recognition for digital  signatures.</P>
<DT><A name="dlog">discrete logarithm problem</A></DT>
<DD>The problem of finding logarithms in a finite field. Given a field 
 defintion (such definitions always include some operation analogous to 
 multiplication) and two numbers, a base and a target, find the power 
 which the base must be raised to in order to yield the target. </DD>
<P>The discrete log problem is the basis of several cryptographic 
 systems, including the <A href="#DH">Diffie-Hellman</A> key exchange 
 used in the <A href="#IKE">IKE</A> protocol. The useful property is 
 that exponentiation is relatively easy but the inverse operation, 
 finding the logarithm, is hard. The cryptosystems are designed so that 
 the user does only easy operations (exponentiation in the field) but 
 an attacker must solve the hard problem (discrete log) to crack the 
 system.</P>
<P>There are several variants of the problem for different types of 
 field. The IKE/Oakley key determination protocol uses two variants, 
 either over a field modulo a prime or over a field defined by an 
 elliptic curve. We give an example modulo a prime below. For the 
 elliptic curve version, consult an advanced text such as <A href="#handbook">
Handbook of Applied Cryptography</A>.</P>
<P>Given a prime <VAR>p</VAR>, a generator <VAR>g</VAR> for the field 
 modulo that prime, and a number <VAR>x</VAR> in the field, the problem 
 is to find <VAR>y</VAR> such that <VAR>g^y = x</VAR>.</P>
<P>For example, let p = 13. The field is then the integers from 0 to 
 12. Any integer equals one of these modulo 13. That is, the remainder 
 when any integer is divided by 13 must be one of these.</P>
<P>2 is a generator for this field.  That is, the powers of two modulo 
 13 run through all the non-zero numbers in the field. Modulo 13 we 
 have:</P>
<PRE>          y      x
        2^0  ==  1
        2^1  ==  2
        2^2  ==  4
        2^3  ==  8
        2^4  ==  3 that is, the remainder from 16/13 is 3
        2^5  ==  6          the remainder from 32/13 is 6
        2^6  == 12 and so on
        2^7  == 11
        2^8  ==  9
        2^9  ==  5
        2^10 == 10
        2^11 ==  7
        2^12 ==  1</PRE>
<P> Exponentiation in such a field is not difficult. Given, say, <NOBR><VAR>
y = 11</VAR>,</NOBR> calculating <NOBR><VAR>x = 7</VAR></NOBR> is 
straightforward. One method is just to calculate <NOBR><VAR>2^11 = 2048</VAR>
,</NOBR> then <NOBR><VAR>2048 mod 13 == 7</VAR>.</NOBR> When the field 
is modulo a large prime (say a few 100 digits) you need a silghtly 
cleverer method and even that is moderately expensive in computer time, 
but the calculation is still not  problematic in any basic way.</P>
<P> The discrete log problem is the reverse. In our example, given <NOBR>
<VAR>x = 7</VAR>,</NOBR> find the logarithm <NOBR><VAR>y = 11</VAR>.</NOBR>
 When the  field is modulo a large prime (or is based on a suitable 
elliptic  curve), this is indeed problematic. No solution method that 
is not  catastrophically expensive is known. Quite a few mathematicians 
have  tackled this problem. No efficient method has been found and 
mathematicians  do not expect that one will be. It seems likely no 
efficient solution  to either of the main variants the discrete log 
problem exists.</P>
<P>Note, however, that no-one has proven such methods do not exist. If 
 a solution to either variant were found, the security of any crypto 
 system using that variant would be destroyed.  This is one reason <A href="#IKE">
 IKE</A> supports two variants. If one is broken, we can  switch to the 
other.</P>
<DT><A name="DNS">DNS</A></DT>
<DD><B>D</B>omain <B>N</B>ame <B>S</B>ervice, a distributed database 
 through which names are associated with numeric addresses and other 
 information in the Internet Protocol Suite. See also <A href="#BIND">
BIND</A>, the Berkeley Internet Name Daemon which  implements DNS 
services and <A href="#SDNS">Secure DNS</A>. See our  bibliography for 
a <A href="#DNS.book">useful reference</A> on  both.</DD>
<DT>DOS attack</DT>
<DD>see <A href="#DOS">Denial Of Service</A> attack</DD>
<DT><A name="E">E</A></DT>
<DT><A name="EAR"><A name="E2"></A><A name="E">EAR</A></DT>
<DD>The US government's <B>E</B>xport <B>A</B>dministration <B> R</B>
egulations, administered by the <A href="#BXA">Bureau of  Export 
Administration</A>. These have replaced the earlier <A href="#ITAR">ITAR</A>
 regulations as the controls on export of  cryptography.</DD>
<DT><A name="ECB">ECB mode</A></DT>
<DD><B>E</B>lectronic <B>C</B>ode<B>B</B>ook mode, the simplest way to 
 use a block cipher. See <A href="#mode">Cipher Modes</A>.</DD>
<DT><A name="EDE">EDE</A></DT>
<DD>The sequence of operations normally used in either the three-key 
 variant of <A href="#3DES">triple DES</A> used in <A href="#IPSEC">
IPSEC</A> or the <A href="#2key">two-key</A> variant  used in some 
other systems. </DD>
<P>The sequence is:</P>
<UL>
<LI><B>E</B>ncrypt with key1</LI>
<LI><B>D</B>ecrypt with key2</LI>
<LI><B>E</B>ncrypt with key3</LI>
</UL>
<P>For the two-key version, key1=key3.</P>
<P>The &quot;advantage&quot; of this EDE order of operations is that it makes it 
 simple to interoperate with older devices offering only single DES. 
 Set key1=key2=key3 and you have the worst of both worlds, the overhead 
 of triple DES with the security of single DES. Since <A href="#desnotsecure">
single DES is insecure</A>, this is an extremely  dubious &quot;advantage&quot;.</P>
<P>The EDE two-key variant can also interoperate with the EDE 
 three-key variant used in <A href="#IPSEC">IPSEC</A>; just set  k1=k3.</P>
<DT><A name="Entrust"><A href="http://www.entrust.com">Entrust</A></A></DT>
<DD>A Canadian company offerring enterprise <A href="#PKI">PKI</A>
 products using <A href="#CAST128">CAST-128</A> symmetric crypto, <A href="#RSA">
RSA</A> public key and <A href="#X509">X.509</A> directories.</DD>
<DT><A name="EFF">EFF</A></DT>
<DD><A href="http://www.eff.org">Electronic Frontier Foundation</A>, an 
 advocacy group for civil rights in cyberspace.</DD>
<DT><A name="encryption">Encryption</A></DT>
<DD>Techniques for converting a readable message (<A href="#plaintext">
plaintext</A>) into apparently random material (<A href="#ciphertext">
ciphertext</A>) which cannot be read if  intercepted. A key is required 
to read the message. </DD>
<P>Major variants include <A href="#symmetric">symmetric</A> encryption 
in which sender and receiver use the same secret key and <A href="#public">
public key</A> methods in which the sender uses one of  a matched pair 
of keys and the receiver uses the other. Many current  systems, 
including <A href="#IPSEC">IPSEC</A>, are <A href="#hybrid">hybrids</A>
 combining the two techniques.</P>
<DT><A name="ESP">ESP</A></DT>
<DD><B>E</B>ncapsulated <B>S</B>ecurity <B>P</B>ayload, the <A href="#IPSEC">
IPSEC</A> protocol which provides <A href="#encryption">encryption</A>. 
It can also provide <A href="#authentication">authentication</A>
 service and may be used with  null encryption (which we do not 
recommend). For details see our <A href="#ESP">IPSEC Overview</A>
 document and/or RFC 2406.</DD>
<DT><A name="extruded">Extruded subnet</A></DT>
<DD>A situation in which something IP sees as one network is actually 
in  two or more places. </DD>
<P>For example, the Internet may route all traffic for a particular 
 company to that firm's corporate gateway. It then becomes the 
 company's problem to get packets to various machines on their <A href="#subnet">
subnets</A> in various departments. They may decide to  treat a branch 
office like a subnet, giving it IP addresses &quot;on&quot; their  corporate net. 
This becomes an extruded subnet.</P>
<P>Packets bound for it are delivered to the corporate gateway, since 
 as far as the outside world is concerned, that subnet is part of the 
 corporate network. However, instead of going onto the corporate LAN 
 (as they would for, say, the accounting department) they are then 
 encapsulated and sent back onto the Internet for delivery to the 
 branch office.</P>
<P>For information on doing this with Linux FreeS/WAN, look in our <A href="#extruded">
Configuration</A> file.</P>
<DT>Exhaustive search</DT>
<DD>See <A href="#brute">brute force attack</A>.</DD>
<DT><A name="F">F</A></DT>
<DT><A name="FIPS"><A name="F">FIPS</A></A></DT>
<DD><B>F</B>ederal <B>I</B>nformation <B>P</B>rocessing <B>S</B>
tandard,  the US government's standards for products it buys. These are 
issued  by <A href="#NIST">NIST</A>. Among other things, <A href="#DES">
DES</A> and <A href="#SHA">SHA</A> are defined in FIPS  documents. NIST 
have a <A href="http://www.itl.nist.gov/div897/pubs">FIPS home page</A>.</DD>
<DT><A name="FSF">Free Software Foundation (FSF)</A></DT>
<DD>An organisation to promote free software, free in the sense of 
these  quotes from their web pages</DD>
<DD><BLOCKQUOTE> &quot;Free software&quot; is a matter of liberty, not price. To 
understand the  concept, you should think of &quot;free speech&quot;, not &quot;free 
beer.&quot; 
<P>&quot;Free software&quot; refers to the users' freedom to run, copy, 
 distribute, study, change and improve the software.</P>
</BLOCKQUOTE></DD>
<P>See also <A href="#GNU">GNU</A>, <A href="#GPL">GNU General Public 
 License</A>, and <A href="http://www.fsf.org">the FSF site</A>.</P>
<DT>FreeSWAN</DT>
<DD>see <A href="#FreeSWAN">Linux FreeS/WAN</A></DD>
<DT>FSF</DT>
<DD>see <A href="#FSF">Free software Foundation</A></DD>
<DT><A name="G">G</A></DT>
<DT><A name="GCHQ"><A name="G">GCHQ</A></A></DT>
<DD><A href="http://www.gchq.gov.uk">Government Communications 
 Headquarters</A>, the British organisation for <A href="#SIGINT">
signals intelligence</A>.</DD>
<DT>generator of a prime field</DT>
<DD>see <A href="#dlog">discrete logarithm problem</A></DD>
<DT><A name="GILC">GILC</A></DT>
<DD><A href="http://www.gilc.org">Global Internet Liberty Campaign</A>, 
 an international organisation advocating, among other things, free 
 availability of cryptography. They have a <A href="http://www.gilc.org/crypto/wassenaar">
campaign</A> to remove  cryptographic software from the <A href="#Wassenaar">
Wassenaar  Arrangement</A>.</DD>
<DT>Global Internet Liberty Campaign</DT>
<DD>see <A href="#GILC">GILC</A>.</DD>
<DT><A name="GTR"><A href="http://www.cl.cam.ac.uk/Research/Security/Trust-Register">
Global  Trust Register</A></A></DT>
<DD>An attempt to create something like a <A href="#rootCA">root CA</A>
 for <A href="#PGP">PGP</A> by publishing both <A href="#GTR">as a  book</A>
 and <A href="http://www.cl.cam.ac.uk/Research/Security/Trust-Register">
 on  the web</A> the fingerprints of a set of verified keys for 
well-known  users and organisations.</DD>
<DT>GMP</DT>
<DD>The <B>G</B>NU <B>M</B>ulti-<B>P</B>recision library code, used in <A
href="#FreeSWAN"> Linux FreeS/WAN</A> by <A href="#Pluto">Pluto</A> for <A
href="#public">public key</A> calculations.</DD>
<DT><A name="GNU">GNU</A></DT>
<DD><B>G</B>NU's <B>N</B>ot <B>U</B>nix, the <A href="#FSF">Free 
 Software Foundation's</A> project aimed at creating a free system with 
 at least the capabilities of Unix. <A href="#Linux">Linux</A> uses GNU 
 utilities extensively.</DD>
<DT>GPG</DT>
<DD>see <A href="#GPG">GNU Privacy Guard</A></DD>
<DT><A name="GPL">GNU <A href="http://www.fsf.org/copyleft/gpl.html">
 General  Public License</A>(GPL, copyleft)</A></DT>
<DD>The license developed by the <A href="#FSF">Free Software 
 Foundation</A> under which <A href="#Linux">Linux</A>, <A href="#FreeSWAN">
Linux FreeS/WAN</A> and many other pieces of software  are distributed. 
The license allows anyone to redistribute and modify  the code, but 
forbids anyone from distributing executables without  providing access 
to source code. For more details see the file <A href="../COPYING">
COPYING</A> included with GPLed source  distributions, including ours, 
or <A href="http://www.fsf.org/copyleft/gpl.html"> the GNU site's GPL 
 page</A>.</DD>
<DT><A name="GPG"><A href="http://www.gnupg.org">GNU Privacy Guard</A></A>
</DT>
<DD>An open source implementation of Open <A href="#PGP">PGP</A> as 
 defined in RFC 2440.</DD>
<DT>GPL</DT>
<DD>see <A href="#GPL">GNU General Public License</A>.</DD>
<DT><A name="H">H</A></DT>
<DT><A name="hash">Hash</A></DT>
<DD>see <A href="#digest">message digest</A></DD>
<DT><A name="HMAC">Hashed Message Authentication Code (HMAC)</A></DT>
<DD>using keyed <A href="#digest">message digest</A> functions to 
 authenticate a message. This differs from other uses of these 
 functions: 
<UL>
<LI>In normal usage, the hash function's internal variable are 
 initialised in some standard way. Anyone can reproduce the hash to 
 check that the message has not been altered.</LI>
<LI>For HMAC usage, you initialise the internal variables from the 
 key. Only someone with the key can reproduce the hash. A  successful 
check of the hash indicates not only that the message  is unchanged but 
also that the creator knew the key.</LI>
</UL>
</DD>
<P>The exact techniques used in <A href="#IPSEC">IPSEC</A> are defined 
 in RFC 2104. They are referred to as HMAC-MD5-96 and HMAC-SHA-96 
 because they output only 96 bits of the hash. This makes some attacks 
 on the hash functions harder.</P>
<DT>HMAC</DT>
<DD>see <A href="#HMAC">Hashed Message Authentication Code</A></DD>
<DT>HMAC-MD5-96</DT>
<DD>see <A href="#HMAC">Hashed Message Authentication Code</A></DD>
<DT>HMAC-SHA-96</DT>
<DD>see <A href="#HMAC">Hashed Message Authentication Code</A></DD>
<DT><A name="hybrid">Hybrid cryptosystem</A></DT>
<DD>A system using both <A href="#public">public key</A> and <A href="#symmetric">
symmetric cipher</A> techniques. This works well.  Public key methods 
provide key management and <A href="#signature">digital signature</A>
 facilities which are not  readily available using symmetric ciphers. 
The symmetric cipher,  however, can do the bulk of the encryption work 
much more efficiently  than public key methods.</DD>
<DT><A name="I">I</A></DT>
<DT><A name="IAB">IAB</A></DT>
<DD><A href="http://www.iab.org/iab">Internet Architecture  Board</A>.</DD>
<DT><A name="icmp">ICMP</A></DT>
<DD><STRONG>I</STRONG>nternet <STRONG>C</STRONG>ontrol <STRONG> M</STRONG>
essage <STRONG>P</STRONG>rotocol. This is used for  various 
IP-connected devices to manage the network.</DD>
<DT><A name="IDEA">IDEA</A></DT>
<DD><B>I</B>nternational <B>D</B>ata <B>E</B>ncrypion <B>A</B>lgorithm, 
 developed in Europe as an alternative to exportable American ciphers 
 such as <A href="#DES">DES</A> which were <A href="#desnotsecure">too 
 weak for serious use</A>. IDEA is a <A href="#block">block cipher</A>
 using 64-bit blocks and 128-bit keys, and is used in products such as <A
href="#PGP"> PGP</A>. </DD>
<P>IDEA is not required by the <A href="#IPSEC">IPSEC</A> RFCs and not 
 currently used in <A href="#FreeSWAN">Linux FreeS/WAN</A>.</P>
<P>IDEA is patented and, with strictly limited exceptions for personal 
 use, using it requires a license from <A href="http://www.ascom.com">
Ascom</A>.</P>
<DT><A name="IESG">IESG</A></DT>
<DD><A href="http://www.ietf.org">Internet Engineering Steering  Group</A>
.</DD>
<DT><A name="IETF">IETF</A></DT>
<DD><A href="http://www.ietf.org">Internet Engineering Task Force</A>, 
 the umbrella organisation whose various working groups make most of 
 the technical decisions for the Internet. The IETF <A href="http://www.ietf.org/html.charters/ipsec-charter.html">
 IPSEC  working group</A> wrote the <A href="#RFC">RFCs</A> we are 
 implementing.</DD>
<DT><A name="IKE">IKE</A></DT>
<DD><B>I</B>nternet <B>K</B>ey <B>E</B>xchange, based on the <A href="#DH">
Diffie-Hellman</A> key exchange protocol. IKE is  implemented in <A href="#FreeSWAN">
Linux FreeS/WAN</A> by the <A href="#Pluto">Pluto daemon</A>.</DD>
<DT><A name="IV">Initialisation Vector (IV)</A></DT>
<DD>Some cipher <A href="#mode">modes</A>, including the <A href="#CBC">
CBC</A> mode which IPSEC uses, require some extra data at  the 
beginning. This data is called the initialisation vector. It need  not 
be secret, but should be different for each message. Its function  is 
to prevent messages which begin with the same text from encrypting  to 
the same ciphertext. That might give an analyst an opening, so it  is 
best prevented.</DD>
<DT><A name="IP">IP</A></DT>
<DD><B>I</B>nternet <B>P</B>rotocol.</DD>
<DT><A name="masq">IP masquerade</A></DT>
<DD>A method of allowing multiple machines to communicate over the 
 Internet when only one IP address is available for their use. See the 
 Linux masquerade <A href="http://www.tor.shaw.wave.ca/~ambrose">
resource page</A> for  details. </DD>
<P>The client machines are set up with reserved <A href="non-routable">
non-routable</A> IP addresses defined in RFC 1918.  The masquerading 
gateway, the machine with the actual link to the  Internet, rewrites 
packet headers so that all packets going onto the  Internet appear to 
come from one IP address, that of its Internet  interface. It then gets 
all the replies, does some table lookups and  more header rewriting, 
and delivers the replies to the appropriate  client machines.</P>
<P> For information on using masquerade with Linux FreeS/WAN, see our <A href="#NAT">
 firewall document</A> and the <A href="#masq.faq">FAQ</A> and.</P>
<DT><A name="IPng">IPng</A></DT>
<DD>&quot;IP the Next Generation&quot;, see <A href="#ipv6.gloss">IPv6</A>.</DD>
<DT><A name="IPv4">IPv4</A></DT>
<DD>The current version of the <A href="#IP">Internet protocol  suite</A>
.</DD>
<DT><A name="ipv6.gloss">IPv6 (IPng)</A></DT>
<DD>Version six of the <A href="#IP">Internet protocol suite</A>, 
 currently being developed. It will replace the current <A href="#IPv4">
version four</A>. IPv6 has <A href="#IPSEC">IPSEC</A> as  a mandatory 
component. </DD>
<P>See this <A href="http://playground.sun.com/pub/ipng/html/ipng-main.html">
web  site</A> for more details, and our <A href="#ipv6">compatibility</A>
 document for information on FreeS/WAN and the Linux implementation of 
 IPv6.</P>
<DT><A name="IPSEC">IPSEC</A></DT>
<DD><B>I</B>nternet <B>P</B>rotocol <B>SEC</B>urity, security functions 
 (<A href="#authentication">authentication</A> and <A href="#encryption">
encryption</A>) implemented at the IP level of the  protocol stack. It 
is optional for <A href="#IPv4">IPv4</A> and  mandatory for <A href="#ipv6.gloss">
IPv6</A>. </DD>
<P>This is the standard <A href="#FreeSWAN">Linux FreeS/WAN</A> is 
 implementing. For more details, see our <A href="#overview">IPSEC 
 Overview</A>. For the standards, see RFCs listed in our <A href="#RFC">
RFCs document</A>.</P>
<DT><A name="ISAKMP">ISAKMP</A></DT>
<DD><B>I</B>nternet <B>S</B>ecurity <B>A</B>ssociation and <B>K</B>ey <B>
 M</B>anagement <B>P</B>rotocol, defined in RFC 2408.</DD>
<DT><A name="ITAR">ITAR</A></DT>
<DD><B>I</B>nternational <B>T</B>raffic in <B>A</B>rms <B> R</B>
egulations, US regulations administered by the State  Department which 
until recently limited export of, among other things,  cryptographic 
technology and software. ITAR still exists, but the  limits on 
cryptography have now been transferred to the <A href="#EAR">Export 
Administration Regulations</A> under the Commerce  Department's <A href="#BXA">
Bureau of Export Administration</A>.</DD>
<DT>IV</DT>
<DD>see <A href="#IV">Initialisation vector</A></DD>
<DT><A name="J">J</A></DT>
<DT><A name="K">K</A></DT>
<DT><A name="kernel">Kernel</A></DT>
<DD>The basic part of an operating system (e.g. Linux) which controls 
 the hardware and provides services to all other programs. </DD>
<P>In the Linux release numbering system, an even second digit as in  2.<STRONG>
2</STRONG>.x indicates a stable or production kernel while  an odd 
number as in 2.<STRONG>3</STRONG>.x indicates an experimental  or 
development kernel. Most users should run a recent kernel version  from 
the production series. The development kernels are primarily for 
 people doing kernel development. Others should consider using 
 development kernels only if they have an urgent need for some feature 
 not yet available in production kernels.</P>
<DT>Keyed message digest</DT>
<DD>See <A href="#HMAC">HMAC</A>.</DD>
<DT>Key length</DT>
<DD>see <A href="#brute">brute force attack</A></DD>
<DT><A name="KLIPS">KLIPS</A></DT>
<DD><B>K</B>erne<B>l</B><B> IP</B><B> S</B>ecurity, the <A href="#FreeSWAN">
Linux FreeS/WAN</A> project's changes to the <A href="#Linux">Linux</A>
 kernel to support the <A href="#IPSEC">IPSEC</A> protocols.</DD>
<DT><A name="L">L</A></DT>
<DT><A name="LDAP">LDAP</A></DT>
<DD><B>L</B>ightweight <B>D</B>irectory <B>A</B>ccess <B>P</B>rotocol, 
 defined in RFCs 1777 and 1778,  a method of accessing information 
 stored in directories. LDAP is used by several <A href="#PKI">PKI</A>
 implementations, often with X.501 directories and <A href="#X509">X.509</A>
 certificates. It may also be used by <A href="#IPSEC">IPSEC</A> to 
obtain key certifications from those PKIs.  This is not yet implemented 
in <A href="#FreeSWAN">Linux  FreeS/WAN</A>.</DD>
<DT><A name="LIBDES">LIBDES</A></DT>
<DD>A publicly available library of <A href="#DES">DES</A> code, 
written  by Eric Young, which <A href="#FreeSWAN">Linux FreeS/WAN</A>
 uses in  both <A href="#KLIPS">KLIPS</A> and <A href="#Pluto">Pluto</A>
.</DD>
<DT><A name="Linux">Linux</A></DT>
<DD>A freely available Unix-like operating system based on a kernel 
 originally written for the Intel 386 architecture by (then) student 
 Linus Torvalds. Once his 32-bit kernel was available, the <A href="#GNU">
GNU</A> utilities made it a usable system and  contributions from many 
others led to explosive growth. </DD>
<P>Today Linux is a complete Unix replacement available for several 
 CPU architectures -- Intel, DEC/Compaq Alpha, Power PC, both 32-bit 
 SPARC and the 64-bit UltraSPARC, SrongARM, . . . -- with support for 
 multiple CPUs on some architectures.</P>
<P><A href="#FreeSWAN">Linux FreeS/WAN</A> is intended to run on all 
 CPUs supported by Linux and is known to work on several. See our <A href="#CPUs">
 compatibility</A> section for a list.</P>
<DT><A name="FreeSWAN">Linux FreeS/WAN</A></DT>
<DD>Our implementation of the <A href="#IPSEC">IPSEC</A> protocols, 
 intended to be freely redistributable source code with <A href="#GPL">
a GNU GPL license</A> and no constraints under US or other <A href="#exlaw">
 export laws</A>. Linux FreeS/WAN is intended to  interoperate with 
other <A href="#IPSEC">IPSEC</A> implementations.  The name is partly 
taken, with permission, from the <A href="#SWAN">S/WAN</A> multi-vendor 
IPSEC compatability effort. Linux  FreeS/WAN has two major components, <A
href="#KLIPS">KLIPS</A> (KerneL  IPSEC Support) and the <A href="#Pluto">
Pluto</A> daemon which manages  the whole thing. </DD>
<P>See our <A href="#overview">IPSEC Overview</A> for more detail. For 
 the code see our <A href="http://freeswan.org"> primary distribution 
 site</A> or one of the mirror sites on <A href="intro.html#mirrors">
 this  list</A>.</P>
<DT><A name="M">M</A></DT>
<DT><A name="list">Mailing list</A></DT>
<DD>The <A href="#FreeSWAN">Linux FreeS/WAN</A> project has several 
 public email lists for bug reports and software development 
 discussions. See our document on <A href="mail.html">mailing lists</A>.</DD>
<DT><A name="middle">Man-in-the-middle attack</A></DT>
<DD>An <A href="#active">active attack</A> in which the attacker 
 impersonates each of the legitimate players in a protocol to the 
 other. </DD>
<P>For example, if <A href="#alicebob">Alice and Bob</A> are 
 negotiating a key via the <A href="#DH">Diffie-Hellman</A> key 
 agreement, and are not using <A href="#authentication">authentication</A>
 to be certain they are  talking to each other, then an attacker able 
to insert himself in the  communication path can deceive both players.</P>
<P>Call the attacker Mallory. For Bob, he pretends to be Alice. For 
 Alice, he pretends to be Bob. Two keys are then negotiated, 
 Alice-to-Mallory and Bob-to-Mallory. Alice and Bob each think the key 
 they have is Alice-to-Bob.</P>
<P>A message from Alice to Bob then goes to Mallory who decrypts it, 
 reads it and/or saves a copy, re-encrypts using the Bob-to-Mallory key 
 and sends it along to Bob. Bob decrypts successfully and sends a reply 
 which Mallory decrypts, reads, re-encrypts and forwards to Alice.</P>
<P>To make this attack effective, Mallory must</P>
<UL>
<LI>subvert some part of the network in some way that lets him carry 
 out the deception
<BR> possible targets: DNS, router, Alice or Bob's machine, mail 
 server, ...</LI>
<LI>beat any authentication mechanism Alice and Bob use
<BR> strong authentication defeats the attack entirely; this is why <A href="#IKE">
IKE</A> requires authentication</LI>
<LI>work in real time, delivering messages without introducing  a delay 
large enough to alert the victims
<BR> not hard if Alice and Bob are using email; quite difficult in some 
 situations.</LI>
</UL>
<P>If he manages it, however, it is devastating. He not only gets to 
 read all the messages; he can alter messages, inject his own, forge 
 anything he likes, . . . In fact, he controls the communication 
 completely.</P>
<DT><A name="manual">Manual keying</A></DT>
<DD>An IPSEC mode in which the keys are provided by the administrator. 
 In FreeS/WAN, they are stored in /etc/ipsec.conf. The alternative, <A href="#auto">
automatic keying</A>, is preferred in most cases.</DD>
<DT><A name="MD4">MD4</A></DT>
<DD><A href="#digest">Message Digest Algorithm</A> Four from Ron Rivest 
 of <A href="#RSAco">RSA</A>. MD4 was widely used a few years ago, but 
 is now considered obsolete. It has been replaced by its descendants <A href="#MD5">
MD5</A> and <A href="#SHA">SHA</A>.</DD>
<DT><A name="MD5">MD5</A></DT>
<DD><A href="#digest">Message Digest Algorithm</A> Five from Ron Rivest 
 of <A href="#RSAco">RSA</A>, an improved variant of his <A href="#MD4">
MD4</A>. Like MD4, it produces a 128-bit hash. For details  see RFC 
1321. </DD>
<P>MD5 is one of two message digest algorithms available in IPSEC. The 
 other is <A href="#SHA">SHA</A>. SHA produces a longer hash and is 
 therefore more resistant to <A href="#birthday">birthday attacks</A>, 
 but this is not a concern for IPSEC. The <A href="#HMAC">HMAC</A>
 method used in IPSEC is secure even if the underlying hash is not 
 particularly strong against this attack.</P>
<DT><A name="meet">Meet-in-the-middle attack</A></DT>
<DD>A divide-and-conquer attack which breaks a cipher into two parts, 
 works against each separately, and compares results. Probably the best 
 known example is an attack on double DES. This applies in principle to 
 any pair of block ciphers, e.g. to an encryption system using, say, 
 CAST-128 and Blowfish, but we will describe it for double DES. </DD>
<P>Double DES encryption and decryption can be written:</P>
<PRE>        C = E(k2,E(k1,P))
        P = D(k1,D(k2,C))</PRE>
<P>Where C is ciphertext, P is plaintext, E is encryption, D is 
 decryption, k1 is one key, and k2 is the other key. If we know a P, C 
 pair, we can try and find the keys with a brute force attack, trying 
 all possible k1, k2 pairs. Since each key is 56 bits, there are  2<SUP>
112</SUP> such pairs and this attack is painfully  inefficient.</P>
<P>The meet-in-the middle attack re-writes the equations to calculate 
 a middle value M:</P>
<PRE>        M = E(k1,P)
        M = D(k2,C)</PRE>
<P>Now we can try some large number of D(k2,C) decryptions with 
 various values of k2 and store the results in a table. Then start 
 doing E(k1,P) encryptions, checking each result to see if it is in the 
 table.</P>
<P>With enough table space, this breaks double DES with 2<SUP>57</SUP>
 work. The memory requirements of such attacks can be prohibitive, but 
 there is a whole body of research literature on methods of reducing 
 them.</P>
<DT><A name="digest">Message Digest Algorithm</A></DT>
<DD>An algorithm which takes a message as input and produces a hash or 
 digest of it, a fixed-length set of bits which depend on the message 
 contents in some highly complex manner. Design criteria include making 
 it extremely difficult for anyone to counterfeit a digest or to change 
 a message without altering its digest. One essential property is <A href="#collision">
collision resistance</A>. The main applications are  in message <A href="#authentication">
authentication</A> and <A href="#signature">digital signature</A>
 schemes. Widely used  algorithms include <A href="#MD5">MD5</A> and <A href="#SHA">
SHA</A>.  In IPSEC, message digests are used for <A href="#HMAC">HMAC</A>
 authentication of packets.</DD>
<DT><A name="MTU">MTU</A></DT>
<DD><STRONG>M</STRONG>aximum <STRONG>T</STRONG>ransmission <STRONG> U</STRONG>
nit, the largest size of packet that can be sent  over a link. This is 
determined by the underlying network, but must be  taken account of at 
the IP level. </DD>
<P>IP packets, which can be up to 64K bytes each, must be packaged 
 into lower-level packets of the appropriate size for the underlying 
 network(s) and re-assembled on the other end. When a packet must pass 
 over multiple networks, each with its own MTU, and many of the MTUs 
 are unknown to the sender, this becomes a fairly complex problem. See <A
href="#pathMTU"> path MTU discovery</A> for details.</P>
<P>Often the MTU is a few hundred bytes on serial links and 1500  on 
Ethernet. There are, however, serial link protocols which use a  larger 
MTU to avoid fragmentation at the ethernet/serial  boundary, and newer 
(especially gigabit) Ethernet networks sometimes  support much larger 
packets because these are more efficient in some  applications.</P>
<DT><A name="N">N</A></DT>
<DT><A name="NAI">NAI</A></DT>
<DD><A href="http://www.nai.com">Network Associates</A>, a conglomerate 
 formed from <A href="#PGPI">PGP Inc.</A>, <A href="#">TIS</A>, 
 Macaffee Anti-virus products and several others. Among other things, 
 they offer an IPSEC-based <A href="http://www.nai.com/products/security/prodserv/gauntlet/vpn/index.asp">
VPN</A>.</DD>
<DT><A name="NAT.gloss">NAT</A></DT>
<DD><B>N</B>etwork <B>A</B>ddress <B>T</B>ranslation.</DD>
<DT><A name="NIST">NIST</A></DT>
<DD>The US <A href="http://www.nist.gov"> National Institute of 
 Standards and Technology</A>, responsible for <A href="#FIPS">FIPS 
 standards</A> including <A href="#DES">DES</A> and its replacement, <A href="#AES">
AES</A>.</DD>
<DT><A name="nonce">Nonce</A></DT>
<DD>A <A href="#random">random</A> value used in an <A href="#authentication">
authentication</A> protocol.</DD>
<DT>
<DT><A name="non-routable">Non-routable IP address</A></DT>
<DD>An IP address not normally allowed in the &quot;to&quot; or &quot;from&quot; IP address 
 field header of IP packets. </DD>
<P>Almost invariably, the phrase &quot;non-routable address&quot; means one of 
 the addresses reserved by RFC 1918 for private networks:</P>
<UL>
<LI>10.anything</LI>
<LI>172.x.anything with 16 &lt;= x &lt;= 31</LI>
<LI>192.168.anything</LI>
</UL>
<P>These addresses are commonly used on private networks, e.g. behind 
 a Linux machines doing <A href="#masq">IP masquerade</A>. Machines 
 within the private network can address each other with these 
 addresses. All packets going outside that network, however, have these 
 addresses replaced before they reach the Internet.</P>
<P>If any packets using these addresses do leak out, they do not go 
 far. Most routers automatically discard all such packets.</P>
<P>Various other addresses -- the 127.0.0.0/8 block reserved for local 
 use, 0.0.0.0, various broadcast and network addresses -- cannot be 
 routed over the Internet, but are not normally included in the meaning 
 when the phrase &quot;non-routable address&quot; is used.</P>
<DT><A name="NSA">NSA</A></DT>
<DD>The US <A href="http://www.nsa.gov"> National Security Agency</A>, 
 the American organisation for <A href="#SIGINT">signals  intelligence</A>
, the protection of US government messages and the  interception and 
analysis of other messages. For details, see  Bamford's <A href="#puzzle">
&quot;The Puzzle Palace&quot;</A>. </DD>
<P>Some <A href="http://www.gwu.edu/~nsarchiv/NSAEBB/NSAEBB23/index.html">
history  of NSA</A> documents were declassified in response to a FOIA 
(Freedom  of Information Act) request.</P>
<DT><A name="O">O</A></DT>
<DT><A name="oakley">Oakley</A></DT>
<DD>A key determination protocol, defined in RFC 2412.</DD>
<DT>Oakley groups</DT>
<DD>The groups used as the basis of <A href="#DH">Diffie-Hellman</A>
 key  exchange in the Oakley protocol, and in <A href="#IKE">IKE</A>. 
Four  were defined in the original RFC, and a fifth has been <A href="http://www.lounge.org/ike_doi_errata.html">
added since</A>. </DD>
<P>Linux FreeS/WAN currently supports the three groups based on finite 
 fields modulo a prime (Groups 1, 2 and 5) and does not support the 
 elliptic curve groups (3 and 4). For a description of the difference 
 of the types, see <A href="#dlog">discrete logarithms</A>.</P>
<DT><A name="OTP">One time pad</A></DT>
<DD>A cipher in which the key is: 
<UL>
<LI>as long as the total set of messages to be enciphered</LI>
<LI>absolutely <A href="#random">random</A></LI>
<LI>never re-used</LI>
</UL>
</DD>
<P>Given those three conditions, it can easily be proved that the 
 cipher is perfectly secure, in the sense that an attacker with 
 intercepted message in hand has no better chance of guessing the 
 message than an attacker who has nt interecepted the message and only 
 knows the message length. No such proof exists for any other  cipher.</P>
<P>There are, however, several problems with this &quot;perfect&quot;  cipher.</P>
<UL>
<LI>It is wildly impractical for many applications. Key management  is 
difficult or impossible.</LI>
<LI>It is <EM>extremely</EM> fragile. Small changes which violate  the 
conditions listed above do not just weaken the cipher a bit;  quite 
often they destroy its security completely. 
<UL>
<LI>Re-using the pad weakens it to the point where it can be  broken 
with pencil and paper. With a computer, the attack is  trivially easy.</LI>
<LI>Using computer-generated pseudo-random numbers instead of a  really <A
href="#random">random</A> pad completely invalidates  the security 
proof. Depending on random number generator used,  this may also give 
an extremely weak cipher.</LI>
</UL>
</LI>
<LI>If an attacker knows the plaintext and has an intercepted  message, 
he can discover the pad. This does not matter if the  attacker is just 
a <A href="#passive">passive</A> eavesdropper. It  gives him no 
plaintext he didn't already know and we don't care  that he learns a 
pad which we'll never re-use. However, knowing  the pad lets an <A href="#active">
active</A> attacker perform a <A href="#middle">man-in-the-middle</A>
 attack, replacing your  message with whatever he chooses.</LI>
</UL>
<P>Marketing claims about the &quot;unbreakable&quot; security of various 
 products which somewhat resemble one-time pads are common. Such claims 
 are one of the surest signs of cryptographic <A href="#snake">snake 
 oil</A>. Systems marketed with such claims are usually completely 
 worthless.</P>
<P>See also the <A href="http://www.clark.net/pub/mjr/pubs/otpfaq/">one 
time pad  FAQ</A>.</P>
<DT><A name="carpediem">Opportunistic encryption</A></DT>
<DD>A situation in which any two IPSEC-aware machines can secure their 
 communications, without a pre-shared secret and without a common <A href="#PKI">
PKI</A> or previous exchange of public keys. This is one  of the goals 
of the Linux FreeS/WAN project, discussed in our <A href="#goals">
introduction</A> section. </DD>
<P> Setting up for opportunistic encryption is described in our <A href="#oppex">
 configuration</A> document.</P>
<DT><A name="P">P</A></DT>
<DT><A name="P1363"><A href="http://grouper.ieee.org/groups/1363">P1363 
 standard</A></A></DT>
<DD>An <A href="#IEEE">IEEE</A> standard for public key  cryptography.</DD>
<DT><A name="passive">Passive attack</A></DT>
<DD>An attack in which the attacker only eavesdrops and attempts to 
 analyse intercepted messages, as opposed to an <A href="#active">
active attack</A> in which he diverts messages or  generates his own.</DD>
<DT><A name="pathMTU">Path <A href="#MTU">MTU</A></A> discovery</DT>
<DD>The process of discovering the largest packet size which all links 
 on a path can handle without fragmentation -- that is, without any 
 router having to break the packet up into smaller pieces to match the <A
href="#MTU"> MTU</A> of its outgoing link. </DD>
<P>This is done as follows:</P>
<UL>
<LI>originator sends the largest packets allowed by <A href="#MTU">MTU</A>
 of the first link, setting the DF  (<STRONG>d</STRONG>on't <STRONG>f</STRONG>
ragment) bit in the  packet header</LI>
<LI>any router which cannot send the packet on (outgoing MTU is too 
 small for it, and DF prevents fragmenting it to match) sends back  an <A
href="#ICMP">ICMP</A> packet reporting the problem</LI>
<LI>originator looks at ICMP message and tries a smaller size</LI>
<LI>eventually, you settle on a size that can pass all routers</LI>
<LI>thereafter, originator just sends that size and no-one has to 
 fragment</LI>
</UL>
<P>Since this requires co-operation of many systems, and since the 
 next packet may travel a different path, this is one of the trickier 
 areas of IP programming. Bugs that have shown up over the years have 
 included:</P>
<UL>
<LI>malformed ICMP messages</LI>
<LI>hosts that ignore or mishandle these ICMP messages</LI>
<LI>firewalls blocking the ICMP messages so host does not see  them</LI>
</UL>
<P>Since IPSEC adds a header, it increases packet size and may require 
 fragmentation even where incoming and outgoing MTU are equal.</P>
<DT><A name="PFS">Perfect forward secrecy (PFS)</A></DT>
<DD>A property of systems such as <A href="#DH">Diffie-Hellman</A> key 
 exchange which use a long-term key (such as the shared secret in IKE) 
 and generate short-term keys as required. If an attacker who acquires 
 the long-term key <EM>provably</EM> can 
<UL>
<LI><EM>neither</EM> read previous messages which he may have  archived</LI>
<LI><EM>nor</EM> read future messages without performing additional 
 successful attacks</LI>
</UL>
</DD>
<P>then the system has PFS. The attacker needs the short-term keys in 
 order to read the trafiic and merely having the long-term key does not 
 allow him to infer those. Of course, it may allow him to conduct 
 another attack (such as <A href="#middle">man-in-the-middle</A>) which 
 gives him some short-term keys, but he does not automatically get them 
 just by acquiring the long-term key.</P>
<DT>PFS</DT>
<DD>see Perfect Forward Secrecy</DD>
<DT><A name="PGP">PGP</A></DT>
<DD><B>P</B>retty <B>G</B>ood <B>P</B>rivacy, a personal encryption 
 system for email based on public key technology, written by Phil 
 Zimmerman. </DD>
<P>The 2.xx versions of PGP used the <A href="#RSA">RSA</A> public key 
 algorithm and used <A href="#IDEA">IDEA</A> as the symmetric cipher. 
 These versions are described in RFC 1991 and in <A href="#PGP">
Garfinkel's book</A>. Since version 5, the products from <A href="#pgpi">
 PGP Inc</A>. have used <A href="#DH">Diffie-Hellman</A> public key 
methods and <A href="#CAST128">CAST-128</A> symmetric encryption. These 
can verify  signatures from the 2.xx versions, but cannot exchange 
encryted  messages with them.</P>
<P>An <A href="#IETF">IETF</A> working group has issued RFC 2440 for 
 an &quot;Open PGP&quot; standard, similar to the 5.x versions. PGP Inc. staff 
 were among the authors. A free <A href="#GPG">Gnu Privacy Guard</A>
 based on that standard is now available.</P>
<P>For more information on PGP, including how to obtain it, see our 
 cryptography <A href="#tools">links</A>.</P>
<DT><A name="PGPI">PGP Inc.</A></DT>
<DD>A company founded by Zimmerman, the author of <A href="#PGP">PGP</A>
, now a division of <A href="#NAI">NAI</A>. See the <A href="http://www.pgp.com">
 corporate website</A>. </DD>
<P>Their PGP 6.5 product includes PGPnet, an IPSEC client for 
 Macintosh or for Windows 95/98/NT.</P>
<DT><A name="photuris">Photuris</A></DT>
<DD>Another key negotiation protocol, an alternative to <A href="#IKE">
IKE</A>, described in RFCs 2522 and 2523.</DD>
<DT><A name="PPTP">PPTP</A></DT>
<DD><B>P</B>oint-to-<B>P</B>oint <B>T</B>unneling <B>P</B>rotocol. 
 Papers discussing weaknesses in it are on <A href="http://www.counterpane.com/publish.html">
counterpane.com</A>.</DD>
<DT><A name="PKI">PKI</A></DT>
<DD><B>P</B>ublic <B>K</B>ey <B>I</B>nfrastructure, the things an 
 organisation or community needs to set up in order to make <A href="#public">
public key</A> cryptographic technology a standard part  of their 
operating procedures. </DD>
<P>There are several PKI products on the market. Typically they use a 
 hierarchy of <A href="#CA">Certification Authorities (CAs)</A>. Often 
 they use <A href="#LDAP">LDAP</A> access to <A href="#X509">X.509</A>
 directories to implement this.</P>
<P>See <A href="#web">Web of Trust</A> for a different sort of 
 infrastructure.</P>
<DT><A name="PKIX">PKIX</A></DT>
<DD><B>PKI</B> e<B>X</B>change, an <A href="#IETF">IETF</A> standard 
 that allows <A href="#PKI">PKI</A>s to talk to each other. </DD>
<P>This is required, for example, when users of a corporate PKI need 
 to communicate with people at client, supplier or government 
 organisations, any of which may have a different PKI in place. I 
 should be able to talk to you securely whenever:</P>
<UL>
<LI>your organisation and mine each have a PKI in place</LI>
<LI>you and I are each set up to use those PKIs</LI>
<LI>the two PKIs speak PKIX</LI>
<LI>the configuration allows the conversation</LI>
</UL>
<P>At time of writing (March 1999), this is not yet widely implemented 
 but is under quite active development by several groups.</P>
<DT><A name="plaintext">Plaintext</A></DT>
<DD>The unencrypted input to a cipher, as opposed to the encrypted <A href="#ciphertext">
ciphertext</A> output.</DD>
<DT><A name="Pluto">Pluto</A></DT>
<DD>The <A href="#FreeSWAN">Linux FreeS/WAN</A> daemon which handles 
key  exchange via the <A href="#IKE">IKE</A> protocol, connection 
 negotiation, and other higher-level tasks. Pluto calls the <A href="#KLIPS">
KLIPS</A> kernel code as required. For details, see the  manual page 
ipsec_pluto(8).</DD>
<DT><A name="public">Public Key Cryptography</A></DT>
<DD>In public key cryptography, keys are created in matched pairs. 
 Encrypt with one half of a pair and only the matching other half can 
 decrypt it. This contrasts with <A href="#symmetric">symmetric or 
 secret key cryptography</A> in which a single key known to both 
 parties is used for both encryption and decryption. </DD>
<P>One half of each pair, called the public key, is made public. The 
 other half, called the private key, is kept secret. Messages can then 
 be sent by anyone who knows the public key to the holder of the 
 private key. Encrypt with the public key and you know only someone 
 with the matching private key can decrypt.</P>
<P>Public key techniques can be used to create <A href="#signature">
digital signatures</A> and to deal with key  management issues, perhaps 
the hardest part of effective deployment of <A href="#symmetric">
 symmetric ciphers</A>. The resulting <A href="#hybrid">hybrid 
cryptosystems</A> use public key methods to  manage keys for symmetric 
ciphers.</P>
<P>Many organisations are currently creating <A href="#PKI">PKIs, 
 public key infrastructures</A> to make these benefits widely 
 available.</P>
<DT>Public Key Infrastructure</DT>
<DD>see <A href="#PKI">PKI</A></DD>
<DT><A name="Q">Q</A></DT>
<DT><A name="R">R</A></DT>
<DT><A name="random">Random</A></DT>
<DD>A remarkably tricky term, far too much so for me to attempt a 
 definition here. Quite a few cryptosystems have been broken via 
 attacks on weak random number generators, even when the rest of the 
 system was sound. </DD>
<P>See RFC 1750 for the theory. It will be available <A href="../Internet-docs/rfc1750.txt">
locally</A> if you have downloaded  our RFC bundle (which is <A href="#RFC">
described here</A>). Or read  it <A href="http://nis.nsf.net/internet/documents/rfc/rfc1750.txt">
on  the net</A>.</P>
<P>See the manual pages for ipsec_ranbits(8) and random(4) for details 
 of what we use.</P>
<P>There has recently been discussion on several mailing lists of the 
 limitations of Linux /dev/random and of whether we are using it 
 correctly. Those discussions are archived on the <A href="http://www.openpgp.net/random/index.html">
/dev/random support  page</A>.</P>
<DT><A href="http://www.raptor.com">Raptor</A></DT>
<DD>A firewall product for Windows NT offerring IPSEC-based VPN 
 services. Linux FreeS/WAN interoperates with Raptor; see our <A href="#Raptor">
Compatibility</A> document for details. Raptor have  recently merged 
with Axent.</DD>
<DT><A name="RC4">RC4</A></DT>
<DD><B>R</B>ivest <B>C</B>ipher four, designed by Ron Rivest of <A href="#RSAco">
RSA</A> and widely used. Believed highly secure with  adequate key 
length, but often implemented with inadequate key length  to comply 
with export restrictions.</DD>
<DT><A name="RC6">RC6</A></DT>
<DD><B>R</B>ivest <B>C</B>ipher six, <A href="#RSAco">RSA</A>'s <A href="#AES">
AES</A> candidate cipher.</DD>
<DT><A name="replay">Replay attack</A></DT>
<DD>An attack in which the attacker records data and later replays it 
in  an attempt to deceive the recipient.</DD>
<DT>RFC</DT>
<DD><B>R</B>equest <B>F</B>or <B>C</B>omments, an Internet document. 
 Some RFCs are just informative. Others are standards. </DD>
<P>Our list of <A href="#IPSEC">IPSEC</A> and other security-related 
 RFCs is <A href="#RFC">here</A>, along with information on methods of 
 obtaining them.</P>
<DT><A name="RIPEMD">RIPEMD</A></DT>
<DD>A <A href="#digest">message digest</A> algorithm. The current 
 version is RIPEMD-160 which gives a 160-bit hash.</DD>
<DT><A name="rootCA">Root CA</A></DT>
<DD>The top level <A href="#CA">Certification Authority</A> in a 
 hierachy of such authorities.</DD>
<DT><A name="routable">Routable IP address</A></DT>
<DD>Most IP addresses can be used as &quot;to&quot; and &quot;from&quot; addresses in 
packet  headers. These are the routable addresses; we expect routing to 
be  possible for them. If we send a packet to one of them, we expect 
(in  most cases; there are various complications) that it will be 
delivered  if the address is in use and will cause an <A href="#icmp">
ICMP</A> error packet to come back to us if not. </DD>
<P>There are also several classes of <A href="#non-routable">
non-routable</A> IP addresses.</P>
<DT><A name="RSA">RSA algorithm</A></DT>
<DD><B>R</B>ivest <B>S</B>hamir <B>A</B>dleman public key encryption 
 method, named for its three inventors. The algorithm is widely used 
 and likely to become moreso since it became free of patent 
 encumbrances in September 2000. </DD>
<P> For a full explanation of the algorithm, consult one of the 
standard references such as <A href="#schneier">Applied Cryptography</A>
. A simple explanation is: </P>
<P> The great 17th century French mathematician <A href="http://www-groups.dcs.st-andrews.ac.uk/~history/Mathematicians/Fermat.html">
Fermat</A> proved that, for any prime p and number x, 0 
<!--= x < p:
<pre-->
 x^p == x 
 modulo p  x^(p-1) == 1  modulo p, non-zero x  From this it follows 
that if we have a pair of primes p, q and two numbers e, d such that: </P>
<PRE>
        ed == 1                 modulo lcm( p-1, q-1)
</PRE>
 where lcm() is least common multiple, then for all x, 0 
<!--= x < pq:
<pre-->
 x^(ed-1) == 1 
 modulo pq, non-zero x  x^ed == x  modulo pq  So we construct such as 
set of numbers p, q, e, d and publish the product N=pq and e as the 
public key. Encryption is then: 
<PRE>
        c = x^e                 modulo N
</PRE>
 An attacker cannot deduce x from the cyphertext c, short of either 
factoring N or solving the <A href="#dlog">discrete logarithm</A>
 problem for this field. If p, q are large primes (hundreds or 
thousands of bits) no efficient solution to either problem is known. 
<P> The receiver, knowing the private key (N and d), can readily find x 
sixce: </P>
<PRE>
        c^d == (x^e)^d          modulo N
            == x^ed             modulo N
            == x                modulo N
</PRE>
 This gives an effective public key technique, with only a couple of 
problems. It uses a good deal of computer time, since calculations with 
large integers are not cheap, and there is no proof it is necessarily 
secure since no-one has proven either factoring or discrete log cannot 
be done efficiently. 
<DT><A name="RSAco">RSA Data Security</A></DT>
<DD>A company founded by the inventors of the <A href="#RSA">RSA</A>
 public key algorithm.</DD>
<DT><A name="S">S</A></DT>
<DT><A name="SA">SA</A></DT>
<DD><B>S</B>ecurity <B>A</B>ssociation, the channel negotiated by the 
 higher levels of an <A href="#IPSEC">IPSEC</A> implementation and used 
 by the lower. SAs are unidirectional; you need a pair of them for 
 two-way communication. </DD>
<P>An SA is defined by three things -- the destination, the protocol  (<A
href="#AH">AH</A> or<A href="#ESP">ESP</A>) and the <A href="SPI">SPI</A>
, security parameters index. It is used to index  other things such as 
session keys and intialisation vectors.</P>
<P>For more detail, see our section on <A href="ipsec.html">IPSEC</A>
 and/or RFC 2401.</P>
<DT><A name="SDNS"><A href="http://www.toad.com/~dnssec">Secure DNS</A></A>
</DT>
<DD>A version of the <A href="#DNS">DNS or Domain Name Service</A>
 enhanced with authentication services. This is being designed by the <A href="#IETF">
 IETF</A> DNS security <A href="http://www.ietf.org/ids.by.wg/dnssec.html">
 working group</A>.  Check the <A href="http://www.isc.org/bind.html">
 Internet Software Consortium</A> for information on implementation 
progress and for  the latest version of <A href="#BIND">BIND</A>. 
Another site has <A href="http://www.toad.com/~dnssec">more information</A>
. </DD>
<P><A href="#IPSEC">IPSEC</A> can use this plus <A href="#DH">
Diffie-Hellman key exchange</A> to bootstrap itself. This  would allow <A
href="#carpediem">opportunistic encryption</A>. Any  pair of machines 
which could authenticate each other via DNS could  communicate 
securely, without either a pre-existing shared secret or a  shared <A href="#PKI">
PKI</A>.</P>
<P><A href="#FreeSWAN">Linux FreeS/WAN</A> will support this in a 
 future release.</P>
<DT>Secret key cryptography</DT>
<DD>See <A href="#symmetric">symmetric cryptography</A></DD>
<DT>Security Association</DT>
<DD>see <A href="#SA">SA</A></DD>
<DT><A name="sequence">Sequence number</A></DT>
<DD>A number added to a packet or message which indicates its position 
 in a sequence of packets or messages. This provides some security 
 against <A href="#replay">replay attacks</A>. </DD>
<P>For <A href="#auto">automatic keying</A> mode, the <A href="#IPSEC">
IPSEC</A> RFCs require that the sender generate sequence  numbers for 
each packet, but leave it optional whether the receiver  does anything 
with them.</P>
<DT><A name="SHA">SHA</A></DT>
<DD><B>S</B>ecure <B>H</B>ash <B>A</B>lgorithm, a <A href="#digest">
message digest algorithm</A> developed by the <A href="#NSA">NSA</A>
 for use in the Digital Signature standard, <A href="#FIPS">FIPS</A>
 number 186 from <A href="#NIST">NIST</A>. SHA is  an improved variant 
of <A href="#MD4">MD4</A> producing a 160-bit  hash. </DD>
<P>SHA is one of two message digest algorithms available in IPSEC. The 
 other is <A href="#MD5">MD5</A>. Some people do not trust SHA because 
 it was developed by the <A href="#NSA">NSA</A>. There is, as far as we 
 know, no cryptographic evidence that SHA is untrustworthy, but this 
 does not prevent that view from being strongly held.</P>
<DT><A name="SIGINT">Signals intelligence (SIGINT)</A></DT>
<DD>Activities of government agencies from various nations aimed at 
 protecting their own communications and reading those of others. 
 Cryptography, cryptanalysis, wiretapping, interception and monitoring 
 of various sorts of signals. The players include the American <A href="#NSA">
NSA</A>, British <A href="#GCHQ">GCHQ</A> and Canadian <A href="#CSE">
CSE</A>.</DD>
<DT><A name="SKIP">SKIP</A></DT>
<DD><B>S</B>imple <B>K</B>ey management for <B>I</B>nternet <B> P</B>
rotocols, an alternative to <A href="#IKE">IKE</A> developed  by Sun 
and being marketed by their <A href="http://skip.incog.com">Internet 
Commerce Group</A>.</DD>
<DT><A name="snake">Snake oil</A></DT>
<DD>Bogus cryptography. See the <A href="http://www.interhack.net/people/cmcurtin/snake-oil-faq.html">
 Snake Oil FAQ</A> or <A href="http://www.counterpane.com/crypto-gram-9902.html#snakeoil">
this  paper</A> by Schneier.</DD>
<DT><A name="SPI">SPI</A></DT>
<DD><B>S</B>ecurity <B>P</B>arameter <B>I</B>ndex, an index used within <A
href="#IPSEC"> IPSEC</A> to keep connections distinct. A <A href="#SA">
Security Association (SA)</A> is defined by destination,  protocol and 
SPI. Without the SPI, two connections to the same gateway  using the 
same protocol could not be distinguished. </DD>
<P>For more detail, see our <A href="#SPI">IPSEC Overview</A> and/or 
 RFC 2401.</P>
<DT><A name="SSH">SSH</A></DT>
<DD><B>S</B>ecure <B>SH</B>ell, an encrypting replacement for the 
 insecure Berkeley commands whose names begin with &quot;r&quot; for &quot;remote&quot;: 
 rsh, rlogin, etc. </DD>
<P>For more information on SSH, including how to obtain it, see our 
 cryptography <A href="#tools">links</A>.</P>
<DT><A name="SSHco">SSH Communications Security</A></DT>
<DD>A company founded by the authors of <A href="#SSH">SSH</A>. Offices 
 are in <A href="http://www.ssh.fi">Finland</A> and <A href="http://www.ipsec.com">
California</A>. They have a toolkit for  developers of IPSEC 
applications.</DD>
<DT><A name="SSL">SSL</A></DT>
<DD><A href="http://home.netscape.com/eng/ssl3">Secure Sockets  Layer</A>
, a set of encryption and authentication services for web  browsers, 
developed by Netscape. Widely used in Internet commerce.  Also known as <A
href="#TLS">TLS</A>.</DD>
<DT>SSLeay</DT>
<DD>A free implementation of <A href="#SSL">SSL</A> by Eric Young (eay) 
 and others. Developed in Australia; not subject to US export  controls.</DD>
<DT><A name="stream">Stream cipher</A></DT>
<DD>A <A href="#symmetric">symmetric cipher</A> which produces a stream 
 of output which can be combined (often using XOR or bytewise addition) 
 with the plaintext to produce ciphertext. Contrasts with <A href="#block">
block cipher</A>. </DD>
<P><A href="#IPSEC">IPSEC</A> does not use stream ciphers. Their main 
 application is link-level encryption, for example of voice, video or 
 data streams on a wire or a radio signal.</P>
<DT><A name="subnet">subnet</A></DT>
<DD>A group of IP addresses which are logically one network, typically 
 (but not always) assigned to a group of physically connected machines. 
 The range of addresses in a subnet is described using a subnet mask. 
 See next entry.</DD>
<DT>subnet mask</DT>
<DD>A method of indicating the addresses included in a subnet. Here are 
 two equivalent examples:
<UL>
<LI>101.101.101.0/24</LI>
<LI>101.101.101.0 with mask 255.255.255.0</LI>
</UL>
</DD>
<P>The '24' is shorthand for a mask with the top 24 bits one and the 
 rest zero. This is exactly the same as 255.255.255.0 which has three 
 all-ones bytes and one all-zeros byte.</P>
<P>These indicate that, for this range of addresses, the top 24 bits 
 are to be treated as naming a network (often referred to as &quot;the 
 101.101.101.0/24 subnet&quot;) while most combinations of the low 8 bits 
 can be used to designate machines on that network. Two addresses are 
 reserved; 101.101.101.0 refers to the subnet rather than a specific 
 machine while 101.101.101.255 is a broadcast address. 1 to 254 are 
 available for machines.</P>
<P>It is common to find subnets arranged in a hierarchy. For example, 
 a large company might have a /16 subnet and allocate /24 subnets 
 within that to departments. An ISP might have a large subnet and 
 allocate /26 subnets (64 addresses, 62 usable) to business customers 
 and /29 subnets (8 addresses, 6 usable) to residential clients.</P>
<DT><A name="SWAN">S/WAN</A></DT>
<DD>Secure Wide Area Network, a project involving <A href="#RSAco">RSA 
 Data Security</A> and a number of other companies. The goal was to 
 ensure that all their <A href="#IPSEC">IPSEC</A> implementations would 
 interoperate so that their customers can communicate with each other 
 securely.</DD>
<DT><A name="symmetric">Symmetric cryptography</A></DT>
<DD>Symmetric cryptography, also referred to as conventional or secret 
 key cryptography, relies on a <EM>shared secret key</EM>, identical 
 for sender and receiver. Sender encrypts with that key, receiver 
 decrypts with it. The idea is that an eavesdropper without the key be 
 unable to read the messages. There are two main types of symmetric 
 cipher, <A href="#block">block ciphers</A> and <A href="#stream">
stream ciphers</A>. </DD>
<P>Symmetric cryptography contrasts with <A href="#public">public  key</A>
 or asymmetric systems where the two players use different  keys.</P>
<P>The great difficulty in symmetric cryptography is, of course, key 
 management. Sender and receiver <EM>must</EM> have identical keys and 
 those keys <EM>must</EM> be kept secret from everyone else. Not too 
 much of a problem if only two people are involved and they can 
 conveniently meet privately or employ a trusted courier. Quite a 
 problem, though, in other circumstances.</P>
<P>It gets much worse if there are many people. An application might 
 be written to use only one key for communication among 100 people, for 
 example, but there would be serious problems. Do you actually trust 
 all of them that much? Do they trust each other that much? Should 
 they? What is at risk if that key is compromised? How are you  going 
 to distribute that key to everyone without risking its secrecy? What 
 do you do when one of them leaves the company? Will you even know?</P>
<P>On the other hand, if you need unique keys for every possible 
 connection between a group of 100, then each user must have 99 keys. 
 You need either 99*100/2 = 4950 <EM>secure</EM> key exchanges between 
 users or a central authority that <EM>securely</EM> distributes 100 
 key packets, each with a different set of 99 keys.</P>
<P>Either of these is possible, though tricky, for 100 users. Either 
 becomes an administrative nightmare for larger numbers. Moreover, keys <EM>
 must</EM> be changed regularly, so the problem of key distribution 
 comes up again and again. If you use the same key for many messages 
 then an attacker has more text to work with in an attempt to crack 
 that key. Moreover, one successful crack will give him or her the text 
 of all those messages.</P>
<P>In short, the <EM>hardest part of conventional cryptography is key 
 management</EM>. Today the standard solution is to build a <A href="#hybrid">
hybrid system</A> using <A href="#public">public  key</A> techniques to 
manage keys.</P>
<DT><A name="T">T</A></DT>
<DT><A name="TIS">TIS</A></DT>
<DD><A href="http://www.tislabs.com">Trusted Information Systems</A>, a 
 firewall vendor now part of <A href="#NAI">NAI</A>. Their Gauntlet 
 product offers IPSEC VPN services. TIS implemented the first version 
 of <A href="#SNDS">Secure DNS</A> on a <A href="#DARPA">DARPA</A>
 contract.</DD>
<DT><A name="TLS">TLS</A></DT>
<DD><B>T</B>ransport <B>L</B>ayer <B>S</B>ecurity, a newer name for <A href="#SSL">
SSL</A>.</DD>
<DT><A name="traffic">Traffic analysis</A></DT>
<DD>Deducing useful intelligence from patterns of message traffic, 
 without breaking codes or reading the messages. In one case during 
 World War II, the British knew an attack was coming because all German 
 radio traffic stopped. The &quot;radio silence&quot; order, intended to preserve 
 security, actually gave the game away. </DD>
<P>In an industrial espionage situation, one might deduce something 
 interesting just by knowing that company A and company B were talking, 
 especially if one were able to tell which departments were involved, 
 or if one already knew that A was looking for acquisitions and B was 
 seeking funds for expansion.</P>
<P><A href="#IPSEC">IPSEC</A> itself does not defend against this, but 
 carefully thought out systems using IPSEC can provide at least partial 
 protection. In particular, one might want to encrypt more traffic than 
 was strictly necessary, route things in odd ways, or even encrypt 
 dummy packets, to confuse the analyst.</P>
<DT><A name="transport">Transport mode</A></DT>
<DD>An IPSEC application in which the IPSEC gateway is the destination 
 of the protected packets, a machine acts as its own gateway. Contrast 
 with <A href="#tunnel">tunnel mode</A>.</DD>
<DT>Triple DES</DT>
<DD>see <A href="#3DES">3DES</A></DD>
<DT><A name="tunnel">Tunnel mode</A></DT>
<DD>An IPSEC application in which an IPSEC gateway provides protection 
 for packets to and from other systems. Contrast with <A href="#transport">
transport mode</A>.</DD>
<DT><A name="2key">Two-key Triple DES</A></DT>
<DD>A variant of <A href="#3DES">triple DES or 3DES</A> in which only 
 two keys are used. As in the three-key version, the order of 
 operations is <A href="#EDE">EDE</A> or encrypt-decrypt-encrypt, but 
 in the two-key variant the first and third keys are the same. </DD>
<P>3DES with three keys has 3*56 = 168 bits of key but has only 
 112-bit strength against a <A href="#meet">meet-in-the-middle</A>
 attack, so it is possible that the two key version is just as strong. 
 Last I looked, this was an open question in the research  literature.</P>
<P>RFC 2451 defines triple DES for <A href="#IPSEC">IPSEC</A> as the 
 three-key variant. The two-key variant should not be used and is not 
 implemented directly in <A href="#FreeSWAN">Linux FreeS/WAN</A>. It 
 cannot be used in automatically keyed mode without major fiddles in 
 the source code. For manually keyed connections, you could make Linux 
 FreeS/WAN talk to a two-key implementation by setting two keys the 
 same in /etc/ipsec.conf.</P>
<DT><A name="U">U</A></DT>
<DT><A name="V">V</A></DT>
<DT><A name="virtual">Virtual Interface</A></DT>
<DD>A <A href="#Linux">Linux</A> feature which allows one physical 
 network interface to have two or more IP addresses. See the <CITE>
 Linux Network Administrator's Guide</CITE> in <A href="#kirch">book 
form</A> or <A href="http://metalab.unc.edu/LDP/LDP/nag/node1.html">on 
the web</A> for details.</DD>
<DT>Virtual Private Network</DT>
<DD>see <A href="#VPN">VPN</A></DD>
<DT><A name="VPN">VPN</A></DT>
<DD><B>V</B>irtual <B>P</B>rivate <B>N</B>etwork, a network which can 
 safely be used as if it were private, even though some of its 
 communication uses insecure connections. All traffic on those 
 connections is encrypted. </DD>
<P><A href="#IPSEC">IPSEC</A> is not the only technique available for 
 building VPNs, but it is the only method defined by <A href="#RFC">RFCs</A>
 and supported by many vendors. VPNs are by no  means the only thing 
you can do with IPSEC, but they may be the most  important application 
for many users.</P>
<DT><A name="VPNC">VPNC</A></DT>
<DD><A href="http://www.vpnc.org">Virtual Private Network  Consortium</A>
, an association of vendors of VPN products.</DD>
<DT><A name="W">W</A></DT>
<DT>Wassenaar Arrangement</DT>
<DD>An international agreement restricting export of munitions and 
other  tools of war. Unfortunately, cryptographic software is also 
restricted  under the current version of the agreement. <A href="#Wassenaar">
 Discussion</A>.</DD>
<DT><A name="web">Web of Trust</A></DT>
<DD><A href="#PGP">PGP</A>'s method of certifying keys. Any user can 
 sign a key; you decide which signatures or combinations of signatures 
 to accept as certification. This contrasts with the hierarchy of <A href="#CA">
CAs (Certification Authorities)</A> used in many <A href="#PKI">PKIs 
(Public Key Infrastructures)</A>. </DD>
<P>See <A href="#GTR">Global Trust Register</A> for an interesting 
 addition to the web of trust.</P>
<DT><A name="X">X</A></DT>
<DT><A name="X509">X.509</A></DT>
<DD>A standard from the <A href="http://www.itu.int">ITU (International 
 Telecommunication Union)</A>, for hierarchical directories with 
 authentication services, used in many <A href="#PKI">PKI</A>
 implementations. </DD>
<P>Use of X.509 services, via the <A href="#LDAP">LDAP protocol</A>, 
 for certification of keys is allowed but not required by the <A href="#IPSEC">
IPSEC</A> RFCs. It is not yet implemented in <A href="#FreeSWAN">Linux 
FreeS/WAN</A>.</P>
<DT><A href="http://www.xedia.com">Xedia</A></DT>
<DD>A vendor of router and Internet access products. Their QVPN 
products  interoperate with Linux FreeS/WAN; see our <A href="#Xedia">
compatibility document</A>.</DD>
<DT><A name="Y">Y</A></DT>
<DT><A name="Z">Z</A></DT>
</DL>
<HR>
<H1><A name="biblio">Bibliography for the Linux FreeS/WAN project</A></H1>
<P> For extensive bibliographic links, see the <A href="http://liinwww.ira.uka.de/bibliography/index.html">
Collection of  Computer Science Bibliographies</A></P>
<P> See our <A href="web.html">web links</A> for material available 
 online.</P>
<HR><A name="adams"> Carlisle Adams and Steve Lloyd <CITE>Understanding 
Public  Key Infrastructure</CITE>
<BR></A> Macmillan 1999 ISBN 1-57870-166-x
<BR> An overview, mainly concentrating on policy and strategic issues 
rather than the technical details. Both authors work for <A href="#PKI">
PKI</A> vendor <A href="http://www.entrust.com/">Entrust</A>. 
<HR><A name="DNS.book"> Albitz, Liu &amp; Loukides <CITE>DNS &amp;  BIND</CITE>
 3rd edition
<BR></A> O'Reilly 1998 ISBN 1-56592-512-2
<BR> The standard reference on the <A href="#DNS">Domain Name Service</A>
 and <A href="#BIND">Berkeley Internet Name Daemon</A>. 
<HR><A name="puzzle"> Bamford <CITE>The Puzzle Palace, A report on NSA, 
 Americas's most Secret Agency</CITE>
<BR> Houghton Mifflin 1982  ISBN 0-395-31286-8</A>
<HR><A name="bander"> David Bander, <CITE>Linux Security Toolkit</CITE>
<BR> IDG Books, 2000, ISBN: 0764546902
<BR> This book has a short section on FreeS/WAN and includes Caldera 
Linux on CD. 
<HR><A name="CZR"> Chapman, Zwicky &amp; Russell <CITE>Building Internet 
 Firewalls</CITE>
<BR> O'Reilly 1995 ISBN 1-56592-124-0</A>
<HR><A name="firewall2"> Cheswick and Bellovin</A><CITE> Firewalls and 
 Internet Security: Repelling the Wily Hacker</CITE>
<BR> Addison-Wesley 1994 ISBN 0201633574
<BR> A fine book on firewalls in particular and security in general 
from two of  AT&amp;T's system adminstrators. 
<P> Bellovin has also done a number of <A href="#papers">papers</A> on 
IPSEC and co-authored a <A href="#applied">paper</A> on a large 
FreeS/WAN application. </P>
<HR><A name="comer"> Comer <CITE>Internetworking with TCP/IP</CITE>
<BR> Prentice Hall</A>
<UL>
<LI>Vol. I: Principles, Protocols, &amp; Architecture, 3rd Ed. 1995 
 ISBN:0-13-216987-8</LI>
<LI>Vol. II: Design, Implementation, &amp; Intervals, 2nd Ed. 1994 
 ISBN:0-13-125527-4</LI>
<LI>Vol. III: Client/Server Programming &amp; Applications 
<UL>
<LI>AT&amp;T TLI Version  1994 ISBN:0-13-474230-3</LI>
<LI>BSD Socket Version 1996 ISBN:0-13-260969-X</LI>
<LI>Windows Sockets Version 1997 ISBN:0-13-848714-6</LI>
</UL>
</LI>
</UL>
<P>If you need to deal with the details of the network protocols, read 
 either this series or the <A href="#stevens">Stevens and Wright</A>
 series  before you start reading the RFCs. </P>
<HR><A name="diffie"> Diffie and Landau</A><CITE> Privacy on the Line: 
The Politics of Wiretapping and Encryption</CITE>
<BR> MIT press 1998 ISBN 0-262-04167-7 (hardcover) or 0-262-54100-9
<BR> An <A href="http://www-mitpress.mit.edu/news/diffie/">interview 
with the authors</A> is available on the web. 
<HR><A name="d_and_hark"> Doraswamy and Harkins <CITE>IP Sec: The New 
 Security Standard for the Internet, Intranets and Virtual Private 
 Networks</CITE>
<BR> Prentice Hall 1999 ISBN: 0130118982</A>
<HR><A name="EFF"> Electronic Frontier Foundation <CITE>Cracking DES: 
Secrets  of Encryption Research, Wiretap Politics and Chip Design</CITE>
<BR></A> O'Reilly 1998 ISBN 1-56592-520-3
<BR> To conclusively demonstrate that DES is inadequate for continued 
use, the <A href="#EFF">EFF</A> built a machine for just over $200,000 
that breaks DES  encryption in under five days on average, under nine 
in the worst case.
<P>The book provides details of their design and, perhaps even more 
 important, discusses why they felt the project was necessary. 
Recommended  for anyone interested in any of the three topics mentioned 
in the  subtitle.</P>
<P>See also the <A href="http://www.eff.org/descracker.html"> EFF page 
on  this project </A> and our discussion of <A href="#desnotsecure">DES 
 insecurity</A>. </P>
<HR> Martin Freiss <CITE>Protecting Networks with SATAN</CITE>
<BR> O'Reilly 1998 ISBN 1-56592-425-8
<BR> translated from a 1996 work in German
<BR> SATAN is a Security Administrator's Tool for Analysing Networks. 
This book  is a tutorial in its use. 
<HR> Gaidosch and Kunzinger<CITE> A Guide to Virtual Private  Networks</CITE>
<BR> Prentice Hall 1999 ISBN: 0130839647 
<HR><A name="Garfinkel"> Simson Garfinkel <CITE>Database Nation: the 
death of  privacy in the 21st century</CITE>
<BR> O'Reilly 2000 ISBN 1-56592-653-6
<BR> A thoughtful and rather scary book.</A>
<HR><A name="PGP"> Simson Garfinkel <CITE>PGP: Pretty Good Privacy</CITE>
<BR> O'Reilly 1995 ISBN 1-56592-098-8
<BR> An excellent introduction and user manual for the </A><A href="#PGP">
PGP</A> email-encryption package.  PGP is a good package with a complex 
and  poorly-designed user interface. This book or one like it is a must 
for  anyone who has to use it at length.
<P>The book covers using PGP in Unix, PC and Macintosh environments, 
plus  considerable background material on both the technical and 
political issues  around cryptography. The only shortcoming is that it 
does not cover recent  developments such as PGP 5 and Open PGP. </P>
<HR><A name="practical"> Garfinkel and Spafford <CITE>Practical Unix 
 Security</CITE>
<BR> O'Reilly 1996 ISBN 1-56592-148-8
<BR> A standard reference.
<BR> Spafford's web page has an excellent collection of <A href="http://www.cs.purdue.edu/coast/hotlist">
 crypto and security  links</A>. 
<HR><A name="Kahn"> David Kahn <CITE>The Codebreakers: the 
Comprehensive  History of Secret Communications from Ancient Times to 
the  Internet</CITE>
<BR> second edition Scribner 1996 ISBN 0684831309
<BR> A history of codes and code-breaking from ancient Egypt to the 
20th century.  Well-written and exhaustively researched. <STRONG>Highly 
recommended</STRONG>,  even though it  does not have much on computer 
cryptography.</A>
<HR> David Kahn <CITE>Seizing the Enigma, The Race to Break the German 
U-Boat  codes, 1939-1943</CITE>
<BR> Houghton Mifflin 1991 ISBN 0-395-42739-8 
<HR><A name="kirch"> Olaf Kirch <CITE>Linux Network Administrator's 
 Guide</CITE>
<BR> O'Reilly 1995 ISBN 1-56592-087-2
<BR> Now becoming somewhat dated in places, but still a good 
introductory book  and general reference.</A>
<HR><A name="RFCs"> Pete Lashin <CITE>Big Book of IPSEC RFCs</CITE>
<BR> Morgan Kaufmann 2000 ISBN: 0-12-455839-9</A>
<HR><A name="crypto"> Steven Levy <CITE>Crypto: How the Code Rebels 
Beat the Government -- Saving Privacy in the Digital Age</CITE></A>
<BR> Penguin 2001, ISBN 0-670--85950-8
<BR><STRONG> Highly recommended</STRONG>. A fine history of recent 
(about 1970-2000) developments in the field, and the related political 
controversies. FreeS/WAN project founder and leader John Gilmore 
appears several times. 
<P> The book does not cover IPSEC or FreeS/WAN, but this project is 
very much another battle in the same war.  See our discussion of the <A href="politics.html">
politics</A>. </P>
<HR><A name="GTR"> Matyas, Anderson et al. <CITE>The Global Trust 
 Register</CITE>
<BR> Northgate Consultants Ltd 1998 ISBN: 0953239705
<BR> hard cover edition due April 1999 MIT Press ISBN 0262511053
<BR> From <A href="http://www.cl.cam.ac.uk/Research/Security/Trust-Register">
 their web page</A>: <BLOCKQUOTE> This book is a register of the 
fingerprints of the world's most important  public keys; it implements 
a top-level certification authority (CA) using  paper and ink rather 
than in an electronic system.</BLOCKQUOTE>
<HR><A name="handbook"> Menezies, van Oorschot and Vanstone <CITE>
Handbook of  Applied Cryptography</CITE></A>
<BR> CRC Press 1997
<BR> ISBN 0-8493-8523-7
<BR> An excellent reference. Read <A href="#schneier">Schneier</A>
 before  tackling this. 
<HR><A name="Mourani"> Gerhard Mourani <CITE>Get Acquainted with Linux 
 Security and Optimization System</CITE></A>
<BR> Available online as a <A href="http://pages.infinit.net/lotus1/">
PDF  file</A>. It did not yet cover IPSEC when we last looked. 
<HR> Michael Padlipsky <CITE>Elements of Networking Style</CITE>
<BR> Prentice-Hall 1985 ISBN 0-13-268111-0 or 0-13-268129-3
<BR> Probably <STRONG>the funniest technical book ever written</STRONG>
, this is a vicious but  well-reasoned attack on the OSI &quot;seven layer 
model&quot; and all that went with  it. Several chapters of it are also 
available as RFCs 871 to 875. 
<HR><A name="matrix"> John S. Quarterman <CITE>The Matrix: Computer 
Networks  and Conferencing Systems Worldwide</CITE>
<BR> Digital Press 1990  ISBN 155558-033-5
<BR> Prentice-Hall ISBN 0-13-565607-9
<BR> The best general treatment of computer-mediated communication we 
have seen.  It naturally has much to say about the Internet, but also 
covers UUCP,  Fidonet and so on.</A>
<HR><A name="ranch"> David Ranch <CITE>Securing Linux Step by Step</CITE>
<BR> SANS Institute, 1999
<BR></A><A href="http://www.sans.org/"> SANS</A> is a respected 
organisation,  this guide is part of a well-known series, and Ranch has 
previously written  the useful <A href="http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS.wri">
Trinity  OS</A> guide to securing Linux, so my guess would be this is a 
pretty good  book. I haven't read it yet, so I'm not certain. It can be 
ordered online  from <A href="http://www.sans.org/">SANS</A>. 
<HR><A name="schneier"> Bruce Schneier <CITE>Applied Cryptography, 
Second  Edition</CITE>
<BR> John Wiley &amp; Sons, 1996
<BR> ISBN 0-471-12845-7 hardcover
<BR> ISBN 0-471-11709-9 paperback
<BR> A standard reference on computer cryptography. For more recent 
essays, see  the <A href="http://www.counterpane.com/">author's 
company's web  site</A>. 
<HR><A name="secrets"> Bruce Schneier <CITE>Secrets and Lies</CITE>
<BR> Wiley 2000, ISBN 0-471-25311-1
<BR> An interesting discussion of security and privacy issues, written 
with more of an &quot;executive overview&quot; approach rather than a narrow 
focus on the technical issues. <STRONG>Highly recommended</STRONG>. 
<HR><A name="VPNbook"> Scott, Wolfe and Irwin <CITE>Virtual Private 
 Networks</CITE></A>
<BR> 2nd edition, O'Reilly 1999 ISBN: 1-56592-529-7
<BR> This is the only O'Reilly book, out of a dozen I own, that I'm 
disappointed  with. It deals mainly with building VPNs with various 
proprietary tools  -- <A href="#PPTP">PPTP</A>, <A href="#SSH">SSH</A>, 
Cisco PIX, ... --  and touches only lightly on IPSEC-based approaches.
<P>That said, it appears to deal competently with what it does cover 
and it  has readable explanations of many basic VPN and security 
concepts. It may be  exactly what some readers require, even if I find 
the emphasis  unfortunate. </P>
<HR><A name="LASG"> Kurt Seifried <CITE>Linux Administrator's Security 
 Guide</CITE></A>
<BR> Available online from <A href="http://www.securityportal.com/lasg/">
Security Portal</A>. It has  fairly extensive coverage of IPSEC. 
<HR><A name="Smith"> Richard E Smith <CITE>Internet Cryptography</CITE>
<BR></A> ISBN 0-201-92480-3, Addison Wesley, 1997
<BR> See the book's <A href="http://www.visi.com/crypto/inet-crypto/index.html">
home page</A>
<HR><A name="neal"> Neal Stephenson <CITE>Cryptonomicon</CITE></A>
<BR> Hardcover ISBN -380-97346-4, Avon, 1999. 
<P> A novel in which cryptography and the net figure prominently. <STRONG>
Highly recommended</STRONG>: I liked it enough I immediately went out 
and bought all the author's other books. </P>
<P> There is also a paperback edition. Sequels are expected. </P>
<HR><A name="stevens"> Stevens and Wright <CITE>TCP/IP Illustrated</CITE>
<BR> Addison-Wesley</A>
<UL>
<LI>Vol. I: The Protocols 1994 ISBN:0-201-63346-9</LI>
<LI>Vol. II: The Implementation 1995 ISBN:0-201-63354-X</LI>
<LI>Vol. III: TCP for Transactions, HTTP, NNTP, and the UNIX Domain 
 Protocols 1996 ISBN: 0-201-63495-3</LI>
</UL>
<P> If you need to deal with the details of the network protocols, read 
either this series or the <A href="#comer">Comer</A> series before you 
start reading the RFCs. </P>
<HR><A name="Rubini"> Rubini <CITE>Linux Device Drivers</CITE>
<BR> O'Reilly &amp; Associates, Inc. 1998 ISBN 1-56592-292-1</A>
<HR><A name="Zeigler"> Robert Zeigler <CITE>Linux Firewalls</CITE>
<BR> Newriders Publishing, 2000 ISBN 0-7537-0900-9
<BR></A></A></A></A></A></A><HR>
<H1><A name="RFC">IPSEC RFCs and related documents</A></H1>
<H2><A name="RFCfile">The RFCs.tar.gz Distribution File</A></H2>
<P>The Linux FreeS/WAN distribution is available from:</P>
<A href="http://www.xs4all.nl/~freeswan"> our primary distribution site</A>
 and various mirror sites. To give people more control over their 
downloads, the RFCs that define IP security are bundled separately in 
the file RFCs.tar.gz. 
<P>The file you are reading is included in the main distribution and is 
available on the web site. It describes the RFCs included in the <A href="#RFCs.tar.gz">
RFCs.tar.gz</A> bundle and gives some pointers to <A href="#sources">
other ways to get them</A>.</P>
<H2><A name="sources">Other sources for RFCs &amp; Internet drafts</A></H2>
<H3><A name="RFCdown">RFCs</A></H3>
<P> RFCs are downloadble at many places around the net such as:</P>
<UL>
<LI><A href="http://www.rfc-editor.org">http://www.rfc-editor.org</A></LI>
<LI><A href="http://nis.nsf.net/internet/documents/rfc">NSF.net</A></LI>
<LI><A href="http://sunsite.doc.ic.ac.uk/computing/internet/rfc">
Sunsite in  the UK</A></LI>
</UL>
<P> browsable in HTML form at others such as:</P>
<UL>
<LI><A href="http://www.landfield.com/rfcs/index.html">landfield.com</A></LI>
<LI><A href="http://www.library.ucg.ie/Connected/RFC">Connected 
Internet  Encyclopedia</A></LI>
</UL>
<P> and some of them are available in translation:</P>
<UL>
<LI><A href="http://www.eisti.fr/eistiweb/docs/normes/">French</A></LI>
</UL>
<P> There is also a published <A href="#RFCs1">Big Book of IPSEC RFCs</A>
.</P>
<H3><A name="drafts">Internet Drafts</A></H3>
<P> Internet Drafts, working documents which sometimes evolve into 
RFCs, are also available. </P>
<UL>
<LI><A href="http://www.ietf.org/ID.html">Overall reference page</A></LI>
<LI>drafts from the <A href="http://www.ietf.org/ids.by.wg/ipsec.html">
IPSEC</A> working  group</LI>
<LI>drafts from the <A href="http://www.ietf.org/ids.by.wg/ipsra.html">
IPSRA  (IPSEC Remote Access)</A> working group</LI>
</UL>
<P> Note: some of these may be obsolete, replaced by later drafts or by 
RFCs. </P>
<H3><A name="FIPS1">FIPS standards</A></H3>
<P> Some things used by <A href="#IPSEC">IPSEC</A>, such as <A href="#DES">
DES</A> and <A href="#SHA">SHA</A>, are defined by US government 
standards called <A href="#FIPS">FIPS</A>. The issuing organisation, <A href="#NIST">
NIST</A>, have a <A href="http://www.itl.nist.gov/div897/pubs">FIPS 
home page</A>. </P>
<H3><A name="doc.cd">Document CDs</A></H3>
<P> At least one vendor sells CD-ROMs of RFCs and Internet Drafts: </P>
<UL>
<LI><A href="http://www.cdrom.com/titles/educate/inet.phtml">Walnut 
Creek  CDROM</A></LI>
</UL>
<P> Note: The 2401-2412 group of IPSEC RFCs were issued in late 
November 1998, and the 2535-2539 group on Secure DNS in March 1999, so 
an older CD may not be particularly useful if these areas are your main 
concern.</P>
<H2><A name="RFCs.tar.gz">What's in the RFCs.tar.gz bundle?</A></H2>
<P> All filenames are of the form rfc*.txt, with the * replaced with 
the RFC number. </P>
<PRE>
RFC#        Title
</PRE>
<H3><A name="rfc.ov">Overview RFCs</A></H3>
<PRE>
2401        Security Architecture for the Internet Protocol
2411        IP Security Document Roadmap
</PRE>
<H3><A name="basic.prot">Basic protocols</A></H3>
<PRE>
2402        IP Authentication Header
2406        IP Encapsulating Security Payload (ESP)
</PRE>
<H3><A name="key.ike">Key management</A></H3>
<PRE>
2367        PF_KEY Key Management API, Version 2
2407        The Internet IP Security Domain of Interpretation for ISAKMP
2408        Internet Security Association and Key Management Protocol (ISAKMP)
2409        The Internet Key Exchange (IKE)
2412        The OAKLEY Key Determination Protocol
2528        Internet X.509 Public Key Infrastructure
</PRE>
<H3><A name="rfc.detail">Details of various things used</A></H3>
<PRE>
2085        HMAC-MD5 IP Authentication with Replay Prevention
2104        HMAC: Keyed-Hashing for Message Authentication
2202        Test Cases for HMAC-MD5 and HMAC-SHA-1
2207        RSVP Extensions for IPSEC Data Flows
2403        The Use of HMAC-MD5-96 within ESP and AH
2404        The Use of HMAC-SHA-1-96 within ESP and AH
2405        The ESP DES-CBC Cipher Algorithm With Explicit IV
2410        The NULL Encryption Algorithm and Its Use With IPsec
2451        The ESP CBC-Mode Cipher Algorithms
2521        ICMP Security Failures Messages
</PRE>
<H3><A name="rfc.ref">Older RFCs which may be referenced</A></H3>
<PRE>
1321        The MD5 Message-Digest Algorithm
1828        IP Authentication using Keyed MD5
1829        The ESP DES-CBC Transform
1851        The ESP Triple DES Transform
1852        IP Authentication using Keyed SHA
</PRE>
<H3><A name="rfc.dns">RFCs for secure DNS service, which IPSEC may use</A>
</H3>
<PRE>
2137        Secure Domain Name System Dynamic Update
2230        Key Exchange Delegation Record for the DNS
2535        Domain Name System Security Extensions
2536        DSA KEYs and SIGs in the Domain Name System (DNS)
2537        RSA/MD5 KEYs and SIGs in the Domain Name System (DNS)
2538        Storing Certificates in the Domain Name System (DNS)
2539        Storage of Diffie-Hellman Keys in the Domain Name System (DNS)
</PRE>
<H3><A name="rfc.exp">RFCs labelled &quot;experimental&quot;</A></H3>
<PRE>
2521        ICMP Security Failures Messages
2522        Photuris: Session-Key Management Protocol
2523        Photuris: Extended Schemes and Attributes
</PRE>
<H3><A name="rfc.rel">Related RFCs</A></H3>
<PRE>
1750        Randomness Recommendations for Security
1918        Address Allocation for Private Internets
1984        IAB and IESG Statement on Cryptographic Technology and the Internet
2144        The CAST-128 Encryption Algorithm
</PRE>
<HR>
<H1><A NAME="18">FreeS/WAN FAQ</A></H1>
<P> This is a collection of questions and answers, mostly taken from 
the FreeS/WAN <A href="mail.html">mailing list</A>. See the project <A href="http://www.freeswan.org/">
web site</A> for more information. All the FreeS/WAN documentation is 
online there.</P>
<P> Contributions to the FAQ are welcome. Please send them to the 
project <A href="mail.html">mailing list</A>.</P>
<HR>
<H2><A name="questions">Questions</A></H2>
<UL>
<LI><A href="#whatzit"> What is FreeS/WAN?</A></LI>
<LI><A href="#problems"> How do I report a problem or seek help?</A></LI>
<LI><A href="#generic">Generic questions</A></LI>
<UL>
<LI><A href="#lemme_out"> This is too complicated. Isn't there an 
easier way?</A></LI>
<LI><A href="#commercial"> Can I get commercial support for this 
product?</A></LI>
<LI><A href="#modify.faq"> Can I modify FreeS/WAN to ...?</A></LI>
<LI><A href="#contrib.faq"> Can I contribute to the project?</A></LI>
<LI><A href="#ddoc.faq">Is there detailed design documentation?</A></LI>
<LI><A href="#interop.faq"> Can FreeS/WAN talk to ...?</A></LI>
<LI><A href="#old_to_new"> Can different FreeS/WAN versions talk to 
each other?</A></LI>
<LI><A href="#versions"> Does FreeS/WAN run on my version of Linux?</A></LI>
<LI><A href="#k.versions"> Does FreeS/WAN run on the latest kernel 
version?</A></LI>
<LI><A href="#faq.speed"> Is a ... fast enough to handle FreeS/WAN with 
... connections?</A></LI>
</UL>
<LI><A href="#compile.faq">Compilation problems</A></LI>
<UL>
<LI><A href="#gmp.h_missing">gmp.h: No such file or directory</A></LI>
<LI><A href="#noVM">... virtual memory exhausted</A></LI>
</UL>
<LI><A href="#setup.faq"> Life's little mysteries</A></LI>
<UL>
<LI><A href="#cantping"> I cannot ping ....</A></LI>
<LI><A href="#forever">It takes forever to ...</A></LI>
<LI><A href="#route"> I send packets to the tunnel with route(8) but 
they vanish</A></LI>
<LI><A href="#down_route"> When a tunnel goes down, packets vanish</A></LI>
<LI><A href="#firewall_ate">The firewall ate my packets!</A></LI>
<LI><A href="#dropconn">Dropped connections</A></LI>
<LI><A href="#tcpdump"> TCPdump on the gateway shows strange things</A></LI>
<LI><A href="#no_trace"> Traceroute does not show anything between the 
gateways</A></LI>
</UL>
<LI><A href="#man4debug">Testing in stages</A></LI>
<UL>
<LI><A href="#nomanual">Manually keyed connections don't work</A></LI>
<LI><A href="#spi_error">One manual connection works, but second one 
fails</A></LI>
<LI><A href="#man_no_auto"> Manual connections work, but automatic 
keying doesn't</A></LI>
<LI><A href="#nocomp"> IPSEC works, but connections using compression 
fail</A></LI>
<LI><A href="#pmtu.broken"> Small packets work, but large transfers fail</A>
</LI>
<LI><A href="#subsub">Subnet-to-subnet works, but tests from the 
gateways don't</A></LI>
</UL>
<LI><A href="#error"> Interpreting error messages</A></LI>
<UL>
<LI><A href="#unreachable">SIOCADDRT:Network is unreachable</A></LI>
<LI><A href="#noKLIPS">ipsec_setup: Fatal error, kernel appears to lack 
KLIPS</A></LI>
<LI><A href="#noDNS">ipsec_setup: ... failure to fetch key for ... from 
DNS</A></LI>
<LI><A href="#dup_address">ipsec_setup: ... interfaces ... and ... 
share address ...</A></LI>
<LI><A href="#kflags"> ipsec_setup: Cannot adjust kernel flags</A></LI>
<LI><A href="#conn_name">Connection names in Pluto error messages</A></LI>
<LI><A href="#cantorient">Pluto: ... can't orient connection</A></LI>
<LI><A href="#noconn"> Pluto: ... no connection is known</A></LI>
<LI><A href="#nosuit"> Pluto: ... no suitable connection ...</A></LI>
<LI><A href="#noconn.auth"> Pluto: ... no connection has been authorized</A>
</LI>
<LI><A href="#noDESsupport"> Pluto: ... OAKLEY_DES_CBC is not supported.</A>
</LI>
<LI><A href="#notransform"> Pluto: ... no acceptable transform</A></LI>
<LI><A href="#econnrefused">ECONNREFUSED error message</A></LI>
<LI><A href="#no_eroute"> klips_debug: ... no eroute!</A></LI>
<LI><A href="#SAused"> ... trouble writing to /dev/ipsec ... SA already 
in use</A></LI>
<LI><A href="#ignore"> ... ignoring ... payload</A></LI>
</UL>
<LI><A href="#canI">Can I ...</A></LI>
<UL>
<LI><A href="#reload">Can I reload connection info without restarting?</A>
</LI>
<LI><A href="#masq.faq">Can I use several masqueraded subnets?</A></LI>
<LI><A href="#dup_route">Can I use subnets masqueraded to the same 
addresses?</A></LI>
<LI><A href="#road.masq">Can I assign a road warrior an address on my 
net?</A></LI>
<LI><A href="#QoS">Can I use Quality of Service routing with FreeS/WAN?</A>
</LI>
<LI><A href="#deadtunnel">Can I recognise dead tunnels and shut them 
down?</A></LI>
<LI><A href="#demanddial">Can I build IPSEC tunnels over a 
demand-dialed link?</A></LI>
<LI><A href="#GRE">Can I build GRE tunnels over IPSEC?</A></LI>
<LI><A href="#PKIcert"> Does FreeS/WAN support X.509 or other PKI 
certificates?</A></LI>
<LI><A href="#Radius"> Does FreeS/WAN support Radius or other user 
authentication?</A></LI>
<LI><A href="#noDES.faq"> Does FreeS/WAN support single DES encryption?</A>
</LI>
</UL>
<LI><A href="#spam">Why don't you restrict the mailing lists to reduce 
spam?</A></LI>
</UL>
<HR>
<H2><A name="whatzit"> What is FreeS/WAN?</A></H2>
 FreeS/WAN is a Linux implementation of the <A href="#IPSEC">IPSEC</A>
 protocols, providing security services at the IP (Internet Protocol) 
level of the network. 
<P> For more detail, see our <A href="intro.html">introduction</A>
 document or the FreeS/WAN project <A href="http://www.freeswan.org/">
web site</A>. </P>
<H2><A name="problems">How do I report a problem or seek help?</A></H2>
 See our <A href="prob.report">problem reporting</A> document. 
Basically, what it says is <STRONG>give us the output from <NOBR><VAR>
ipsec barf</VAR></NOBR> from both gateways</STRONG>. Without full 
information, we cannot diagnose a problem. However, <NOBR><VAR>ipsec 
barf</VAR></NOBR> produces a lot of output. If at all possible, <STRONG>
please make barfs accessible via the web or FTP</STRONG> rather than 
sending enormous mail messages. 
<P><STRONG> Use the <A href="mail.html">mailing list</A> for problem 
reports</STRONG>, rather than mailing developers directly. This gives 
you access to more expertise, including users who may have encountered 
and solved the same problems. In particular, for problems involving <A href="interop.html">
interoperation</A> with another IPSEC implementation, the users often 
know more than the developers. </P>
<P> Using the list may also be important in relation to various <A href="#exlaw">
 cryptography export laws</A>. A US citizen who provides technical 
assistance to foreign cryptographic work might be charged under the 
arms export regulations. Such a charge would be easier to defend if the 
discussion took place on a public mailing list than if it were done in 
private mail. </P>
<H2><A name="generic">Generic questions</A></H2>
<H3><A name="lemme_out">This is too complicated. Isn't there an easier 
way?</A></H3>
 There are a number of Linux distributions or firewall products which 
include FreeS/WAN. See this <A href="#products">list</A>. Using one of 
these, chosen to match your requirements and budget, may save you 
considerable time and effort. (If you don't know your requirements, 
start by reading Schneier's <A href="#secrets">Secrets and Lies</A>. 
That gives the best overview of security issues I have seen.) 
<P> If you want the help of a contractor, or to hire staff with 
FreeS/WAN expertise, you could: </P>
<UL>
<LI>check availability in your area through your local Linux User Group 
(<A href="http://www.linux.com/lug/">LUG Index</A>) </LI>
<LI>try asking on our <A href="mail.html">mailing list</A></LI>
</UL>
<P> For companies offerring support, see the next question. </P>
<H3><A name="commercial">Can I get commercial support for this product?</A>
</H3>
 Many of the distributions or firewall products which include FreeS/WAN 
(see this <A href="#products">list</A>) come with commercial support or 
have it available as an option. 
<P> Various companies specialize in commercial support of open source 
software. Our project leader was a founder of the first such company, 
Cygnus Support. It has since been bought by <A href="http://www.redhat.com">
Redhat</A>. Another such firm is <A href="http://www.linuxcare.com">
Linuxcare</A>. </P>
<H3><A name="modify.faq">Can I modify FreeS/WAN to ...?</A></H3>
 You are free to modify FreeS/WAN in any way. See the discussion of <A href="#licensing">
licensing</A> in our introduction document. 
<H3><A name="contrib.faq">Can I contribute to the project?</A></H3>
 In general, we welcome contributions from the community. Various 
contributed patches, either to fix bugs or to add features, have been 
incorporated into our distribution. Other patches, not yet included in 
the distribution, are listed in our <A href="#patch">web links</A>
 section. 
<P> Users have also contributed heavily to documentation, both by 
creating their own <A href="#howto">HowTos</A> and by posting things on 
the <A href="mail.html">mailing lists</A> which I have quoted in these 
HTML docs. </P>
<P> There are, however, some caveats. </P>
<P> FreeS/WAN is being implemented in Canada, by Canadians, largely to 
ensure that is it is entirely free of export restrictions. See this <A href="#status">
discussion</A>. We <STRONG>cannot accept code contributions from US 
residents or citizens</STRONG>, not even one-line bugs fixes. The 
reasons for this were recently discussed extensively on the mailing 
list, in a thread starting <A href="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2001/01/msg00111.html">
here</A>. </P>
<P> Not all contributions are of interest to us. The project has a set 
of fairly ambitious and quite specific goals, described in our <A href="#goals">
introduction</A>. Contributions that lead toward these goals are likely 
to be welcomed enthusiastically. Other contributions may be seen as 
lower priority, or even as a distraction. </P>
<H3><A name="ddoc.faq">Is there detailed design documentation?</A></H3>
 There are: 
<UL>
<LI><A href="RFC.html">RFCs</A> specifying the protocols we implement </LI>
<LI><A href="manpages.html">man pages</A> for our utilities, library 
functions and file formats </LI>
<LI>comments in the source code </LI>
<LI><A href="index.html">HTML documentation</A> written primarily for 
users </LI>
<LI>archived discussions from the <A href="mail.html">mailing lists</A></LI>
<LI>other papers mentioned in our <A href="#applied">introduction</A></LI>
</UL>
 The only formal design documents are a few papers in the last category 
above. All the other categories, however, have things to say about 
design as well. 
<H3><A name="interop.faq">Can FreeS/WAN talk to ...?</A></H3>
 The IPSEC protocols are designed to support interoperation. In theory, 
any two IPSEC implementations should be able to talk to each other. 
<P> In practice, it is considerably more complex. We have a whole <A href="interop.html">
interop document</A> devoted to it. </P>
<H3><A name="old_to_new">Can different FreeS/WAN versions talk to each 
other?</A></H3>
 Linux FreeS/WAN can interoperate with many IPSEC implementations, 
including earlier versions of Linux FreeS/WAN itself. 
<P> In general, new versions will use existing configuration files, at 
least until the next major version number change. For example, 1.8 can 
use files created for 1.7, 1.6, even back to 1.0, but not from 0.92. 
This behaviour will continue until we release 2.0. </P>
<P> As of 1.8, however, conf file checking has become stricter, so that 
an error that may have slipped past the checks in an earlier version 
may be caught in a later one. From 1.8's doc/CHANGES: </P>
<PRE>
      The internal configuration-file reader is progressively getting 
      fussier about what it will accept, which may cause problems for 
      illegal ipsec.conf files whose sins previously passed unnoticed.  
      IN PARTICULAR, the &quot;auto&quot; parameter's values are now checked for 
      legality everywhere.
</PRE>
<H3><A name="versions">Does FreeS/WAN run on my version of Linux?</A></H3>
 We build and test on Redhat distributions, but FreeS/WAN runs just 
fine on several other distributions, sometimes with minor fiddles to 
adapt to the local environment. Details are in our <A href="#otherdist">
compatibility</A> document. Also, some distributions or products come 
with <A href="#products">FreeS/WAN included</A>. 
<P> FreeS/WAN is <STRONG>intended to run on all CPUs Linux supports</STRONG>
. As of June 2000, we know of it being used in production on x86, ARM, 
Alpha and MIPS. It has also had successful tests on PPC and SPARC, 
though we don't know of actual use there. Details are in our <A href="#CPUs">
compatibility</A> document. </P>
<P> FreeS/WAN has been tested on multiprocessor Intel Linux and worked 
there. Note, however, that we do not test this often and have never 
tested on multiprocessor machines of other architectures. </P>
<H3><A name="k.versions">Does FreeS/WAN run on the latest kernel 
version?</A></H3>
 Sometimes yes, but quite often, no. 
<P> Released versions of FreeS/WAN run on whatever production kernels 
were current at the time of our release (or shortly before; we might 
release for kernel <VAR>n</VAR> just as Linus releases <VAR>n+1</VAR>). 
For example, FreeS/WAN 1.91 runs on kernel 2.2.19 or 2.4.5. Often they 
will run on slightly earlier or later kernels as well, but we test on 
the current production kernels, so those are strongly recommended. </P>
<P> The kernel is under active development and it is not uncommon for 
changes to appear that cause problems for FreeS/WAN. For example, 2.4.6 
or 2.4.7 may have changes that break FreeS/WAN 1.91. Or not; you can't 
tell in advance. When such changes appear, we put a fix in the 
FreeS/WAN snapshots, and distribute it with our next release. </P>
<P> However, this is not a high priority for us, and it may take 
anything from a few days to several weeks for such a problem to find 
its way to the top of our kernel programmer's To-Do list. In the 
meanwhile, you have two choices: </P>
<UL>
<LI>either stick with a slightly older kernel, even if it is not the 
latest and greatest. This is recommended for production systems; new 
versions may have new bugs. </LI>
<LI>or fix the problem yourself and send us a patch, via the <A href="mail.html">
Users mailing list</A>. </LI>
</UL>
 We don't even try to keep up with kernel changes outside the main 2.2 
and 2.4 branches, such as the 2.4.x-ac patched versions from Alan Cox 
or (when they appear) the 2.5 series of development kernels. We'd 
rather work on developing the FreeS/WAN code than on chasing these 
moving targets. We are, however, happy to get patches for problems 
discovered there. 
<P> See also the <A href="#choosek">Choosing a kernel</A> section of 
our installation document. </P>
<H3><A name="faq.speed">Is a ... fast enough to handle FreeS/WAN with 
... connections?</A></H3>
 Certainly FreeS/WAN can run happily on limited machines. Very roughly: 
<UL>
<LI>a 486 machines can handle a T1, ADSL or cable link (but the machine 
may be breathing hard) </LI>
<LI>a current (mid-2001) technology PC can easily handle at least a 10 
Mbit/second link </LI>
</UL>
 Beyond that, the picture is not clear. Much depends on details of your 
network, your traffic, and other loads on both machine and net. 
<P> See our <A href="performance.html">FreeS/WAN performance</A>
 document and our discussion of <A href="#biggate">many tunnels for one 
gateway</A> for more detail. </P>
<H2><A name="compile.faq">Compilation problems</A></H2>
<H3><A name="gmp.h_missing">gmp.h: No such file or directory</A></H3>
 Pluto needs the GMP (<STRONG>G</STRONG>NU <STRONG>M</STRONG>ulti-<STRONG>
P</STRONG>recision) library for the large integer calculations it uses 
in <A href="#public"> public key</A> cryptography. This error message 
indicates a failure to find the library. You must install it before 
Pluto will compile. 
<P> The GMP library is included in most Linux distributions. Typically, 
there are two RPMs, libgmp and libgmp-devel, You need to <EM>install 
both</EM>, either from your distribution CDs or from your vendor's web 
site. </P>
<P> On Debian, a mailing list message reports that the command to give 
is <NOBR><VAR>apt-get install gmp2</VAR></NOBR>. </P>
<P> For more information and the latest version, see the <A href="http://www.swox.com/gmp/">
GMP home page</A>. </P>
<H3><A name="noVM">... virtual memory exhausted</A></H3>
 We have had several reports of this message appearing, all on SPARC 
Linux. Here is a mailing message on a solution: 
<PRE>
&gt; ipsec_sha1.c: In function `SHA1Transform':
&gt; ipsec_sha1.c:95: virtual memory exhausted

I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.

I can get around this by using -O instead of -O2 for the optimization
level.  So it is probably a bug in the optimizer on the sparc complier. 
I'll try and chase this down on the sparc lists.
</PRE>
<H2><A name="setup.faq">Life's little mysteries</A></H2>
 FreeS/WAN is a fairly complex product. (Neither the networks it runs 
on nor the protocols it uses are simple, so it could hardly be 
otherwise.) It therefore sometimes exhibits behaviour which can be 
somewhat confusing, or has problems which are not easy to diagnose. 
This section tries to explain those problems. 
<P> Setup and configuration of FreeS/WAN are covered in other 
documentation sections: </P>
<UL>
<LI><A href="install.html"> Installation</A></LI>
<LI><A href="config.html"> Configuration</A></LI>
<LI><A href="trouble.html"> Troubleshooting</A></LI>
</UL>
<P> However, we also list some of the commonest problems here. </P>
<H3><A name="cantping">I cannot ping ....</A></H3>
 This question is dealt with in the configuration section under the 
heading <A href="#multitunnel">multiple tunnels</A>. 
<P> The standard subnet-to-subnet tunnel protects traffic <STRONG>only 
between the subnets</STRONG>. To test it, you must use pings that go 
from one subnet to the other. </P>
<P> For example, suppose you have: </P>
<PRE>
      subnet a.b.c.0/24
             |
      eth1 = a.b.c.1
         gate1
      eth0 = 1.2.3.4
             |

       ~ internet ~

             |
      eth0 = 4.3.2.1
         gate2
      eth1 = x.y.z.1
              |
       subnet x.y.z.0/24
</PRE>
<PRE>
</PRE>
<P> and the connection description: </P>
<P>
<PRE>
conn abc-xyz
     left=1.2.3.4
     leftsubnet=a.b.c.0/24
     right=4.3.2.1
     rightsubnet=x.y.z.0/24
</PRE>
<P> You can test this connection description only by sending a ping 
that will actually go through the tunnel. Assuming you have machines at 
addresses a.b.c.2 and x.y.z.2, pings you might consider trying are: </P>
<DL>
<DT> ping from x.y.z.2 to a.b.c.2 or vice versa</DT>
<DD> Succeeds if tunnel is working. This is the <STRONG>only valid test 
of the tunnel</STRONG>. </DD>
<DT> ping from gate2 to a.b.c.2 or vice versa</DT>
<DD><STRONG> Does not use tunnel</STRONG>. gate2 is not on protected 
subnet. </DD>
<DT> ping from gate1 to x.y.z.2 or vice versa</DT>
<DD><STRONG> Does not use tunnel</STRONG>. gate1 is not on protected 
subnet. </DD>
<DT> ping from gate1 to gate2 or vice versa</DT>
<DD><STRONG> Does not use tunnel</STRONG>. Neither gate is on a 
protected subnet. </DD>
</DL>
<P> Only the first of these is a useful test of this tunnel. The others 
do not use the tunnel. Depending on other details of your setup and 
routing, they: </P>
<UL>
<LI>either fail, telling you nothing about the tunnel </LI>
<LI>or succeed, telling you nothing about the tunnel since these 
packets use some other route </LI>
</UL>
<P> If required, you can of course build additional tunnels so that all 
the machines involved can talk to all the others. See <A href="#multitunnel">
multiple tunnels</A> in the configuration document for details. </P>
<H3><A name="forever">It takes forever to ...</A></H3>
 Users fairly often report various problems involving long delays, 
sometimes on tunnel setup and sometimes on operations done through the 
tunnel, occasionally on simple things like ping or more often on more 
complex operations like doing NFS or Samba through the tunnel. 
<P> Almost always, these turn out to involve failure of a DNS lookup. 
The timeouts waiting for DNS are typically set long so that you won't 
time out when a query involves multiple lookups or long paths. Genuine 
failures therefore produce long delays before they are detected. </P>
<P> A mailing list message from project technical lead Henry Spencer: </P>
<PRE>
&gt; ... when i run /etc/rc.d/init.d/ipsec start, i get:
&gt; ipsec_setup: Starting FreeS/WAN IPSEC 1.5...
&gt; and it just sits there, doesn't give back my bash prompt.

Almost certainly, the problem is that you're using DNS names in your
ipsec.conf, but DNS lookups are not working for some reason.  You will
get your prompt back... eventually.  But the DNS timeouts are long.
Doing something about this is on our list, but it is not easy.
</PRE>
<P> In the meanwhile, we recommend that connection descriptions in <A href="manpage.d/ipsec.conf.5.html">
ipsec.conf(5)</A> use numeric IP addresses rather than names which will 
require a DNS lookup. </P>
<P> Names that do not require a lookup are fine. For example: </P>
<UL>
<LI>a road warrior might use the identity <VAR>
rightid=@lancelot.example.org</VAR></LI>
<LI>the gateway might use <VAR>leftid=@camelot.example.org</VAR></LI>
</UL>
<P> These are fine. The @ sign prevents any DNS lookup. However, do not 
attempt to give the gateway address as <VAR>left=camelot.example.org</VAR>
. That requires a lookup. </P>
<P> A post from one user after solving a problem with long delays: </P>
<PRE>
Subject: Final Answer to Delay!!!
   Date: Mon, 19 Feb 2001
   From: &quot;Felippe Solutions&quot; &lt;felippe@solutionstecnologia.com.br&gt;

Sorry people, but seems like the Delay problem had nothing to do with
freeswan.

The problem was DNS as some people sad from the beginning, but not the way
they thought it was happening. Samba, ssh, telnet and other apps try to
reverse lookup addresses when you use IP numbers (Stupid that ahh).

I could ping very fast because I always ping with &quot;-n&quot; option, but I don't
know the option on the other apps to stop reverse addressing so I don't use
it.
</PRE>
 This post is fairly typical. These problems are often tricky and 
frustrating to diagnose, and most turn out to be DNS-related. 
<P> One suggestion for diagnosis: test with both names and addresses if 
possible. For example, try all of: </P>
<UL>
<LI>ping <VAR>address</VAR></LI>
<LI>ping -n <VAR>address</VAR></LI>
<LI>ping <VAR>name</VAR></LI>
</UL>
<P> If these behave differently, the problem must be DNS-related since 
the three commands do exactly the same thing except for DNS lookups. </P>
<H3><A name="route">I send packets to the tunnel with route(8) but they 
vanish</A></H3>
 IPSEC connections are designed to carry only packets travelling 
between pre-defined connection endpoints. As project technical lead 
Henry Spencer put it: <BLOCKQUOTE> IPsec tunnels are not just virtual 
wires; they are virtual wires  with built-in access controls. 
 Negotiation of an IPsec tunnel includes  negotiation of access rights 
for it, which don't include packets to/from  other IP addresses.  (The 
protocols themselves are quite inflexible about  this, so there are 
limits to what we can do about it.) </BLOCKQUOTE> For fairly obvious 
security reasons, and to comply with the IPSEC RFCs, <A href="#KLIPS">
 KLIPS</A> drops any packets it receives that are not allowed on the 
tunnels currently defined. So if you send it packets with <VAR>route(8)</VAR>
, and suitable tunnels are not defined, the packets vanish. Whether 
this is reported in the logs depends on the setting of <VAR>klipsdebug</VAR>
 in your <A href="manpage.d/ipsec.conf.5.html">ipsec.conf(5)</A> file. 
<P> To rescue vanishing packets, you must ensure that suitable tunnels 
for them exist, by editing the connection descriptions in <A href="manpage.d/ipsec.conf.5.html">
 ipsec.conf(5)</A>. For example, supposing you have a simple setup: </P>
<PRE>
         leftsubnet -- leftgateway === internet === roadwarrior
</PRE>
 If you want to give the roadwarrior access to some resource that is 
located behind the left gateway but is not in the currently defined 
left subnet, then the usual procedure is to define an additional tunnel 
for those packets by creating a new connection description. 
<P> In some cases, it may be easier to alter an existing connection 
description, enlarging the definition of <VAR>leftsubnet</VAR>. For 
example, instead of two connection descriptions with 192.168.8.0/24 and 
192.168.9.0/24 as their <VAR>leftsubnet</VAR> parameters, you can use a 
single description with 192.168.8.0/23. </P>
<P> If you have multiple endpoints on each side, you need to ensure 
that there is a route for each pair of endpoints. See our <A href="#multitunnel">
configuration</A> document for an example. </P>
<H3><A name="down_route">When a tunnel goes down, packets vanish</A></H3>
 This is a special case of the vanishing packet problem described in 
the previous question. Whenever KLIPS sees packets for which it does 
not have a tunnel, it drops them. 
<P> When a tunnel goes away, either because negotiations with the other 
gateway failed or because you gave an <NOBR><VAR>ipsec auto --down</VAR></NOBR>
 command, the route to its other end is left pointing into KLIPS, and 
KLIPS will drop packets it has no tunnel for. </P>
<P> This is a documented design decision, not a bug. FreeS/WAN must not 
automatically adjust things to send packets via another route. The 
other route might be insecure. </P>
<P> Of course, re-routing may be necessary in many cases. In those 
cases, you have to do it manually or via scripts. We provide the <NOBR><VAR>
ipsec auto --unroute</VAR></NOBR> command for these cases. </P>
<P> From <A href="manpage.d/ipsec_auto.8.html">ipsec_auto(8)</A>: <BLOCKQUOTE>
 Normally,  pluto  establishes  a  route to the destination  specified 
for a connection as part of the --up  operation.  However,  the  route 
and only the route can be established  with the --route operation. 
 Until and  unless  an  actual  connection  is established, this 
discards any packets sent  there, which may be preferable to having 
them  sent elsewhere  based  on  a  more  general  route (e.g., a 
default  route). </BLOCKQUOTE><BLOCKQUOTE> Normally, pluto's route to a 
destination remains in  place  when  a  --down  operation  is used to 
take the connection  down (or if connection setup, or later automatic 
rekeying,  fails).  This permits establishing a new connection (perhaps 
 using a different specification; the route is altered  as necessary) 
without having a ``window'' in which packets  might go elsewhere based 
on a more general route.  Such  a  route can be removed using the 
--unroute operation (and is  implicitly removed by --delete). </BLOCKQUOTE>
</P>
<P> See also this mailing list <A href="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/11/msg00523.html">
message</A>. </P>
<H3><A name="firewall_ate">The firewall ate my packets!</A></H3>
 If firewalls filter out:
<UL>
<LI>either the UDP port 500 packets used in IKE negotiations</LI>
<LI>or the ESP and AH (protocols 50 and 51) packets used to implement 
the  IPSEC tunnel</LI>
</UL>
<P> then IPSEC cannot work. The first thing to check if packets seem to 
be vanishing is the firewall rules on the two gateway machines and any 
other machines along the path that you have access to. </P>
<P> For details, see our document on <A href="firewall.html">firewalls</A>
.</P>
<H3><A name="dropconn">Dropped connections</A></H3>
<P> Networks being what they are, IPSEC connections can be broken for 
any number of reasons, ranging from hardware failures to various 
software problems such as the path MTU problems discussed <A href="#pmtu.broken">
elsewhere in the FAQ</A>. Fortunately, various diagnostic tools exist 
that help you sort out many of the possible problems.</P>
<P> There is one situation, however, where FreeS/WAN (using default 
settings) may destroy a connection for no readily apparent reason. This 
occurs when things are <STRONG>misconfigured</STRONG> so that <STRONG>
two tunnels</STRONG> from the same gateway expect <STRONG>the same 
subnet on the far end</STRONG>.</P>
<P> In this situation, the first tunnel comes up fine and works until 
the second is established. At that point, because of the way we track 
connections internally, the first tunnel ceases to exist as far as this 
gateway is concerned. Of course the far end does not know that, and a 
storm of error messages appears on both systems as it tries to use the 
tunnel.</P>
<P> If the far end gives up, goes back to square one and negotiates a 
new tunnel, then that wipes out the second tunnel and ...</P>
<P> The solution is simple. <STRONG>Do not build multiple conn 
descriptions with the same remote subnet</STRONG>.</P>
<P> This is actually intended to be a feature, rather than a bug. 
Consider the situation where a single remote system goes down, then 
comes back up and reconnects to the gateway. It is useful to have the 
gateway tear down the old tunnel and recover resources when the 
reconnection is made. It recognises that situation by checking the 
remote subnet for each tunnel it builds and discarding duplicates. This 
works fine as long as you don't configure multiple tunnels with the 
same remote subnet.</P>
<P> If this behaviour is inconvenient for you, you can disable it by 
setting <VAR>uniqueids=no</VAR> in <A href="manpage.d/ipsec.conf.5.html">
ipsec.conf(5)</A>. </P>
<H3><A name="tcpdump.faq">TCPdump on the gateway shows strange things</A>
</H3>
 Attempting to look at IPSEC packets by running monitoring tools on the 
IPSEC gateway machine can produce silly results. That machine is 
mangling the packets for IPSEC, and possibly for firewall or NAT 
purposes as well. If the internals of the machine's IP stack are not 
what the monitoring tool expects, then the tool can misinterpret them 
and produce nonsense output. 
<P> At one point, this problem was quite severe. On more recent 
systems, <STRONG>the problem has been solved</STRONG>. The version of 
tcpdump shipped with Redhat 6.2, for example, understands IPSEC well 
enough to be usable on a gateway. If in doubt about your version of 
tcpdump, you can get the latest version from <A href="http://www.tcpdump.org/">
tcpdump.org</A>. </P>
<P> Even if you have a version of tcpdump that works on gateways 
however, the most certain way to examine IPSEC packets is to look at 
them on the wire. For security, you need to be certain, so we recommend 
doing that. To do so, you need a <STRONG>separate sniffer machine 
located between the two gateways</STRONG>. This machine can be routing 
IPSEC packets, but it must not be an IPSEC gateway. </P>
<P> A common test setup is to put a machine with dual Ethernet cards in 
between two gateways under test. The central machine both routes 
packets and provides a place to safely run tcpdump or other sniffing 
tools. What you end up with looks like: </P>
<H4>Testing network</H4>
<PRE>
      subnet a.b.c.0/24
             |
      eth1 = a.b.c.1
         gate1
      eth0 = 192.168.p.1
             |
             |
      eth0 = 192.168.p.2
         route/monitor box
      eth1 = 192.168.q.2
             |
             |
      eth0 = 192.168.q.1
         gate2
      eth1 = x.y.z.1
              |
       subnet x.y.z.0/24
</PRE>
<PRE>
</PRE>
<P> With p and q any convenient values that do not interfere with other 
routes you may have. The ipsec.conf(5) file then has, among other 
things: </P>
<P>
<PRE>
conn abc=xyz
      left=192.168.p.1
      leftnexthop=192.168.p.2
      right=192.168.q.1
      rightnexthop=192.168.q.2
</PRE>
 Once that works, you can remove the &quot;route/monitor box&quot;, and connect 
the two gateways to the Internet. The only parameters in ipsec.conf(5) 
 that need to change are the four shown above. You replace them with 
values appropriate for your Internet connection, and change the eth0 IP 
addresses and the default routes on both gateways. 
<P> Note that nothing on either subnet needs to change. This lets you 
test most of your IPSEC setup before connecting to the insecure 
Internet. </P>
<H3><A name="no_trace">Traceroute does not show anything between the 
gateways</A></H3>
 As far as traceroute can see, the two gateways are one hop apart; the 
data packet goes directly from one to the other through the tunnel. Of 
course the outer packets that implement the tunnel pass through 
whatever lies between the gateways, but  those packets are built and 
dismantled by the gateways. Traceroute does not see them and cannot 
report anything about their path. 
<P> Here is a mailing list message with more detail. </P>
<PRE>
Date: Mon, 14 May 2001
To: linux-ipsec@freeswan.org
From: &quot;John S. Denker&quot; &lt;jsd@research.att.com&lt;
Subject: Re: traceroute: one virtual hop

At 02:20 PM 5/14/01 -0400, Claudia Schmeing wrote:
&gt;
&gt;&gt; &gt; A bonus question: traceroute in subnet to subnet enviroment looks like:
&gt;&gt; &gt; 
&gt;&gt; &gt; traceroute to andris.dmz (172.20.24.10), 30 hops max, 38 byte packets
&gt;&gt; &gt; 1  drama (172.20.1.1)  0.716 ms  0.942 ms  0.434 ms
&gt;&gt; &gt; 2  * * *
&gt;&gt; &gt; 3  andris.dmz (172.20.24.10)  73.576 ms  78.858 ms  79.434 ms
&gt;&gt; &gt; 
&gt;&gt; &gt; Why aren't there the other hosts which take part in the delivery during 
&gt;    * * * ?
&gt;
&gt;If there is an ipsec tunnel between GateA and Gate B, this tunnel forms a 
&gt;'virtual wire'.  When it is tunneled, the original packet becomes an inner 
&gt;packet, and new ESP and/or AH headers are added to create an outer packet 
&gt;around it. You can see an example of how this is done for AH at 
&gt;doc/ipsec.html#AH . For ESP it is similar.
&gt;
&gt;Think about the packet's path from the inner packet's perspective.
&gt;It leaves the subnet, goes into the tunnel, and re-emerges in the second
&gt;subnet. This perspective is also the only one available to the
&gt;'traceroute' command when the IPSec tunnel is up.

Claudia got this exactly right.  Let me just expand on a couple of points:

*) GateB is exactly one (virtual) hop away from GateA.  This is how it
would be if there were a physically private wire from A to B.  The
virtually private connection should work the same, and it does.

*) While the information is in transit from GateA to GateB, the hop count
of the outer header (the &quot;envelope&quot;) is being decremented.  The hop count
of the inner header (the &quot;contents&quot; of the envelope) is not decremented and
should not be decremented.  The hop count of the outer header is not
derived from and should not be derived from the hop count of the inner header.

Indeed, even if the packets did time out in transit along the tunnel, there
would be no way for traceroute to find out what happened.  Just as
information cannot leak _out_ of the tunnel to the outside, information
cannot leak _into_ the tunnel from outside, and this includes ICMP messages
from routers along the path.

There are some cases where one might wish for information about what is
happening at the IP layer (below the tunnel layer) -- but the protocol
makes no provision for this.  This raises all sorts of conceptual issues.
AFAIK nobody has ever cared enough to really figure out what _should_
happen, let alone implement it and standardize it.

*) I consider the &quot;* * *&quot; to be a slight bug.  One might wish for it to be
replaced by &quot;GateB GateB GateB&quot;.  It has to do with treating host-to-subnet
traffic different from subnet-to-subnet traffic (and other gory details).
I fervently hope KLIPS2 will make this problem go away.

*) If you want to ask questions about the link from GateA to GateB at the
IP level (below the tunnel level), you have to ssh to GateA and launch a
traceroute from there.
</PRE>
<H2><A name="man4debug">Testing in stages</A></H2>
<P> It is often useful in debugging to test things one at a time:</P>
<UL>
<LI>disable IPSEC entirely, e.g. by turning it off with chkconfig(8), 
and  make sure routing works</LI>
<LI>Once that works, try a manually keyed connection. This does not 
 require key negotiation between Pluto and the key daemon on the other 
 end.</LI>
<LI>Once that works, try automatically keyed connections</LI>
<LI>Once IPSEC works, add packet compression</LI>
<LI>Once everything seems to work, try stress tests with large 
transfers,  many connections, frequent re-keying, ... </LI>
</UL>
<P> FreeS/WAN releases are tested for all of these, so you can be 
reasonably certain they <EM>can</EM> do them all. Of course, that does 
not mean they <EM>will</EM> on the first try, especially if you have 
some unusual configuration. </P>
<P> The rest of this section gives information on diagnosing the 
problem when each of the above steps fails. </P>
<H3><A name="nomanual">Manually keyed connections don't work</A></H3>
<P>Suspect one of:</P>
<UL>
<LI>mis-configuration of IPSEC system in the /etc/ipsec.conf file
<BR> e.g. incorrect interface or next hop information</LI>
<LI>mis-configuration of manual connection in the /etc/ipsec.conf  file</LI>
<LI>routing problems causing IPSEC packets to be lost</LI>
<LI>bugs in KLIPS</LI>
<LI>mismatch between the transforms we support and those another IPSEC 
 implementation offers.</LI>
</UL>
<H3><A name="spi_error">One manual connection works, but second one 
fails</A></H3>
 This is fairly common problem when attempting to configure multiple 
manually keyed connections from a single gateway. 
<P> Each connection must be identified by a unique <A href="#SPI">SPI</A>
 value. For automatic connections, these values are assigned 
automatically. For manual connections, you must set them with <VAR>spi=</VAR>
 statements in <A href="manpage.d/ipsec.conf.5.html">ipsec.conf(5)</A>. </P>
<P> Each manual connection must have a unique SPI value in the range 
0x100 to 0x999. Two or more with the same value will fail. For details, 
see our HTML doc section <A href="#prodman">Using manual keying in 
production</A> and the man page <A href="manpage.d/ipsec.conf.5.html">
ipsec.conf(5)</A>. </P>
<H3><A name="man_no_auto">Manual connections work, but automatic keying 
doesn't</A></H3>
 The most common reason for this behaviour is a firewall dropping the 
UDP port 500 packets used in key negotiation. 
<P> Other possibilities:</P>
<UL>
<LI>mis-configuration of auto connection in the /etc/ipsec.conf file. </LI>
<P>One common  configuration error is forgetting that you need <VAR>
auto=add</VAR> to load the  connection description on the receiving end 
so it recognises the connection  when the other end asks for it.</P>
<LI>error in shared secret in /etc/ipsec.secrets</LI>
<LI>one gateway lacks a route to the other so Pluto's UDP packets are 
 lost</LI>
<LI>bugs in Pluto</LI>
<LI>incompatibilities between Pluto's <A href="#IKE">IKE</A>
 implementation and the IKE at the other end of the tunnel. </LI>
<P>Some possibile problems  are discussed in out <A href="#interop.problem">
interoperation</A> document.</P>
</UL>
<H3><A name="nocomp">IPSEC works, but connections using compression fail</A>
</H3>
 Suspect one of: 
<UL>
<LI>(especially if small packets are OK, but large ones fail) 
compatibility issues  with other implementations. We follow the RFCs 
and omit some extra material  that many compression libraries add by 
default. Others may have the extras left  in.</LI>
<LI>bugs in the FreeS/WAN IPComp code, which is new for 1.6 and not yet 
heavily  tested</LI>
</UL>
<H3><A name="pmtu.broken">Small packets work, but large transfers fail</A>
</H3>
<P> If tests with ping(1) and a small packet size succeed, but tests or 
transfers with larger packet sizes fail, suspect problems with <A href="#pathMTU">
path MTU discovery</A>.</P>
<P> IPSEC makes packets larger by adding an ESP or AH header. This can 
tickle assorted bugs in path MTU discovery mechanisms and cause a 
variety of annoying symptoms. Here is one example of a discussion of 
this problem off the mailing list:</P>
<PRE>
Date: Mon, 3 Apr 2000
From: &quot;Michael H. Warfield&quot; &lt;mhw@wittsend.com&gt;

Paul Koning wrote:

&gt;  Chris&gt;  It appears that the Osicom router discards IP
&gt;  Chris&gt; fragments...

&gt; Amazing.  A device that discards fragments isn't a router, it's at
&gt; best a boat anchor.

        It may not be exactly what it appears.  I ran into a similar problem
with an ISDN link a while ago giving similar symptoms.  Turned out that
the device was negotiating an MTU that it really couldn't handle and the
device in front of it (a Linux box with always defragment enabled) was
defragmenting the huge IPSec datagrams and then refragmenting them into
hunks that the ISDN PPP thought it could handle but couldn't.  Problem was
solved by manually capping the MTU on the ISDN link to a smaller value.

        I gave the FreeSwan guys a hard time until tracking it down since
FreeSwan was the only thing that appeared to be able to tickle the bug.
Nothing else seemed to be broken.  What it really was that MTU discovery
was avoiding the problem on normal links and it was only the IPSEC tunnels
that were creating huge datagrams that went through the defragment/refragment
process.

        Point here is that it &quot;appeared&quot; as though the ISDN link was
failing to handle fragments when it was really a configuration error and
a software bug resulting in a bad MTU that was really the culprit.  So
it may not be that the router is not handling fragments.  It may be that
it's missconfigured or has some other bug that only FreeSwan is tripping
over.
</PRE>
<H3><A name="subsub">Subnet-to-subnet works, but tests from the 
gateways don't</A></H3>
 This is described under <A href="#cantping">I cannot ping...</A>
 above. 
<H2><A name="error">Interpreting error messages</A></H2>
<H3><A name="unreachable">SIOCADDRT:Network is unreachable</A></H3>
 This message is not from FreeS/WAN, but from the Linux IP stack 
itself. That stack is seeing packets it has no route for, either 
because your routing was broken before FreeS/WAN started or because 
FreeS/WAN's changes broke it. 
<P> Here is a message from FreeS/WAN &quot;listress&quot; (mailing list tech 
support person) Claudia Schmeing suggesting ways to diagnose and fix 
such problems: </P>
<PRE>
You write,
&gt; I have correctly installed freeswan-1.8 on RH7.0 kernel 2.2.17, but when 
&gt; I setup a VPN connection with the other machine(RH5.2 Kernel 2.0.36 
&gt; freeswan-1.0, it works well.) it told me that 
&gt; &quot;SIOCADDRT:Network is unreachable&quot;!  But the network connection is no 
&gt; problem.

Often this error is the result of a misconfiguration. 

Be sure that you can route successfully in the absence of Linux
FreeS/WAN. (You say this is no problem, so proceed to the next step.)

Use a custom copy of the default updownscript. Do not change the route 
commands, but add a diagnostic message revealing the exact text of the 
route command. Is there a problem with the sense of the route command
that you can see? If so, then re-examine those ipsec.conf settings
that are being sent to the route command. 

You may wish to use the ipsec auto --route and --unroute commands to 
troubleshoot the problem. See man ipsec_auto for details.
</PRE>
 Since the above message was written, we have modified the updown 
script to provide a better diagnostic for this problem. Check <VAR>
/var/log/messages</VAR>. 
<H3><A name="noKLIPS">ipsec_setup: Fatal error, kernel appears to lack 
KLIPS</A></H3>
 This message indicates an installation failure. The kernel you are 
running does not contain the KLIPS (kernel IPSEC) code. 
<P> Commands you can quickly try are: </P>
<DL>
<DT><VAR>uname -a</VAR></DT>
<DD>to get details, including compilation date and time, of the 
currently running kernel </DD>
<DT><VAR>ls /</VAR></DT>
<DT><VAR>ls /boot</VAR></DT>
<DD>to ensure a new kernel is where it should be. If kernel compilation 
puts it in <VAR>/</VAR> but <VAR>lilo</VAR> wants it in <VAR>/boot</VAR>
, then you should uncomment the <VAR>INSTALL_PATH=/boot</VAR> line in 
the kernel <VAR>Makefile</VAR>. </DD>
<DT><VAR>more /etc/lilo.conf</VAR></DT>
<DD>to see that <VAR>lilo</VAR> has correct information </DD>
<DT><VAR>lilo</VAR></DT>
<DD>to ensure that information in <VAR>/etc/lilo.conf</VAR> has been 
transferred to the boot sector </DD>
</DL>
 If those don't find the problem, you have to go back and check through 
the <A href="install.html">install</A> procedure to see what was 
missed. 
<P> Here is one of Claudia's messages on the topic: </P>
<PRE>
&gt; I tried to install freeswan 1.8 on my mandrake 7.2 test box. ...

&gt; It does show version and some output for whack.

Yes, because the Pluto (daemon) part of ipsec is installed correctly, but
as we see below the kernel portion is not.

&gt; However, I get the following from /var/log/messages:
&gt; 
&gt; Mar 11 22:11:55 pavillion ipsec_setup: Starting FreeS/WAN IPSEC 1.8...
&gt; Mar 11 22:12:02 pavillion ipsec_setup: modprobe: Can't locate module ipsec
&gt; Mar 11 22:12:02 pavillion ipsec_setup: Fatal error, kernel appears to lack
&gt; KLIPS.

This is your problem. You have not successfully installed a kernel with
IPSec machinery in it. 

Did you build Linux FreeS/WAN as a module? If so, you need to ensure that 
your new module has been installed in the directory where your kernel 
loader normally finds your modules. If not, you need to ensure
that the new IPSec-enabled kernel is being loaded correctly.

See also doc/install.html, and INSTALL in the distro.
</PRE>
<H3><A name="noDNS">ipsec_setup: ... failure to fetch key for ... from 
DNS</A></H3>
 Quoting Henry: 
<PRE>
Note that by default, FreeS/WAN is now set up to
     (a) authenticate with RSA keys, and
     (b) fetch the public key of the far end from DNS.
Explicit attention to  ipsec.conf will be needed if you want
to do something different.
</PRE>
 and Claudia, responding to the same user: 
<PRE>
You write,

&gt;       My current setup in ipsec.conf is leftrsasigkey=%dns I have 
&gt; commented this and authby=rsasig out. I am able to get ipsec running, 
&gt; but what I find is that the documentation only specifies for %dns are 
&gt; there any other values that can be placed in this variable other than 
&gt; %dns and the key? I am also assuming that this is where I would place 
&gt; my public key for the left and right side as well is this correct?

Valid values for authby= are rsasig and secret, which entail authentication
by RSA signature or by shared secret, respectively. Because you have 
commented authby=rsasig out, you are using the default value of authby=secret. 

When using RSA signatures, there are two ways to get the public key for the
IPSec peer: either copy it directly into *rsasigkey= in ipsec.conf, or
fetch it from dns. The magic value %dns for *rsasigkey parameters says to 
try to fetch the peer's key from dns.

For any parameters, you may find their significance and special values in
man ipsec.conf. If you are setting up keys or secrets, be sure also to
reference man ipsec.secrets.
</PRE>
<H3><A name="dup_address">ipsec_setup: ... interfaces ... and ... share 
address ...</A></H3>
 This is a fatal error. FreeS/WAN cannot cope with two or more 
interfaces using the same IP address. You must re-configure to avoid 
this. 
<P> A mailing list message on the topic from Pluto developer Hugh 
Redelmeier: </P>
<PRE>
| I'm trying to get freeswan working between two machine where one has a ppp
| interface.
| I've already suceeded with  two machines with ethernet ports but  the ppp
| interface is causing me problems.
|  basically when I run ipsec start  i get
| ipsec_setup: Starting FreeS/WAN IPSEC 1.7...
| ipsec_setup: 003 IP interfaces ppp1 and ppp0 share address 192.168.0.10!
| ipsec_setup: 003 IP interfaces ppp1 and ppp2 share address 192.168.0.10!
| ipsec_setup: 003 IP interfaces ppp0 and ppp2 share address 192.168.0.10!
| ipsec_setup: 003 no public interfaces found
|
| followed by lots of cannot work out interface for connection messages
|
| now I can specify the interface in ipsec.conf to be ppp0 , but this does
| not affect the above behaviour. A quick look in server.c indicates that the
| interfaces value  is not used but some sort of raw detect happens.
|
| I guess I could prevent the formation of the extra ppp interfaces or
| allocate them different ip but I'd  rather not. if at all possible. Any
| suggestions please.

Pluto won't touch an interface that shares an IP address with another.
This will eventually change, but it probably won't happen soon.

For now, you will have to give the ppp1 and ppp2 different addresses.
</PRE>
<H3><A name="kflags">ipsec_setup: Cannot adjust kernel flags</A></H3>
 A mailing list message form technical lead Henry Spencer: 
<PRE>
&gt; When FreeS/WAN IPSEC 1.7 is starting on my 2.0.38 Linux kernel the following
&gt; error message is generated:
&gt; ipsec_setup: Cannot adjust kernel flags, no /proc/sys/net/ipsec directory!
&gt; What is supposed to create this directory and how can I fix this problem?

I think that directory is a 2.2ism, although I'm not certain (I don't have
a 2.0.xx system handy any more for testing).  Without it, some of the
ipsec.conf config-setup flags won't work, but otherwise things should
function. 
</PRE>
 You also need to enable the <VAR>/proc</VAR> filesystem in your kernel 
configuration for these operations to work. 
<H3><A name="conn_name">Connection names in Pluto error messages</A></H3>
<P> From Pluto programmer Hugh Redelmeier:</P>
<PRE>
| Jan 17 16:21:10 remus Pluto[13631]: &quot;jumble&quot; #1: responding to Main Mode from Road Warrior 130.205.82.46
| Jan 17 16:21:11 remus Pluto[13631]: &quot;jumble&quot; #1: no suitable connection for peer @banshee.wittsend.com
| 
|     The connection &quot;jumble&quot; has nothing to do with the incoming
| connection requests, which were meant for the connection &quot;banshee&quot;.

You are right.  The message tells you which Connection Pluto is
currently using, which need not be the right one.  It need not be the
right one now for the negotiation to eventually succeed!  This is
described in ipsec_pluto(8) in the section &quot;Road Warrior Support&quot;.

There are two times when Pluto will consider switching Connections for
a state object.  Both are in response to receiving ID payloads (one in
Phase 1 / Main Mode and one in Phase 2 / Quick Mode).  The second is
not unique to Road Warriors.  In fact, neither is the first any more
(two connections for the same pair of hosts could differ in Phase 1 ID
payload; probably nobody else has tried this).
</PRE>
<H3><A name="cantorient">Pluto: ... can't orient connection</A></H3>
 Each Pluto needs to know whether it is running on the machine which 
the connection description calls <VAR>left</VAR> or on <VAR>right</VAR>
. It figures that out by: 
<UL>
<LI>looking at the interfaces given in <VAR>interfaces=</VAR> lines in 
the <VAR>config setup</VAR> section </LI>
<LI>discovering the IP addresses for those interfaces </LI>
<LI>searching for a match between those addresses and the ones  given 
in <VAR>left=</VAR> or <VAR>right=</VAR> lines. </LI>
</UL>
<P> Normally a match is found. Then Pluto knows where it is and can set 
up other things (for example, if it is <VAR>left</VAR>) using 
parameters such as <VAR>leftsubnet</VAR> and <VAR>leftnexthop</VAR>, 
and sending its outgoing packets to <VAR>right</VAR>. </P>
<P> If no match is found, it emits the above error message. </P>
<H3><A name="noconn">Pluto: ... no connection is known</A></H3>
 This error message occurs when a remote system attempts to negotiate a 
connection and Pluto does not have a connection description that 
matches what the remote system has requested. The most common cause is 
a configuration error on one end or the other. 
<P> Parameters involved in this match are <VAR>left</VAR>, <VAR>right</VAR>
, <VAR>leftsubnet</VAR> and <VAR>rightsubnet</VAR>. </P>
<P><STRONG> The match must be exact</STRONG>. For example, if your left 
subnet is a.b.c.0/24 then neither a single machine in that net nor a 
smaller subnet such as a.b.c.64/26 will be considered a match. </P>
<P> The message can also occur when an appropriate description exists 
but Pluto has not loaded it. Use an <VAR>auto=add</VAR> statement in 
the connection description, or an <VAR>ipsec auto --add &lt;conn_name&gt;</VAR>
 command, to correct this. </P>
<P> An explanation from the Pluto developer: </P>
<PRE>
| Jul 12 15:00:22 sohar58 Pluto[574]: &quot;corp_road&quot; #2: cannot respond to IPsec
| SA request because no connection is known for
| 216.112.83.112/32===216.112.83.112...216.67.25.118

This is the first message from the Pluto log showing a problem.  It
means that PGPnet is trying to negotiate a set of SAs with this
topology:

216.112.83.112/32===216.112.83.112...216.67.25.118
^^^^^^^^^^^^^^^^^   ^^^^^^^^^^^^^^   ^^^^^^^^^^^^^
client on our side  our host         PGPnet host, no client

None of the conns you showed look like this.

Use
        ipsec auto --status
to see a snapshot of what connections are in pluto, what
negotiations are going on, and what SAs are established.

The leftsubnet= (client) in your conn is 216.112.83.64/26.  It must
exactly match what pluto is looking for, and it does not.
</PRE>
<H3><A name="nosuit">Pluto: ... no suitable connection ...</A></H3>
 This is similar to the <A href="#noconn">no connection known</A>
 error, but occurs at a different point in Pluto processing. 
<P> Here is one of Claudia's messages explaining the problem: </P>
<PRE>
You write,

&gt; What could be the reason of the following error? 
&gt; &quot;no suitable connection for peer '@xforce'&quot;

When a connection is initiated by the peer, Pluto must choose which entry in 
the conf file best matches the incoming connection. A preliminary choice is 
made on the basis of source and destination IPs, since that information is 
available at that time. 

A payload containing an ID arrives later in the negotiation. Based on this
id and the *id= parameters, Pluto refines its conn selection. ...

The message &quot;no suitable connection&quot; indicates that in this refining step,
Pluto does not find a connection that matches that ID.

Please see &quot;Selecting a connection when responding&quot; in man ipsec_pluto for
more details.
</PRE>
<P> See also <A href="#conn_name">Connection names in Pluto error 
messages</A>. </P>
<H3><A name="noconn.auth">Pluto: ... no connection has been authorized</A>
</H3>
 Here is one of Claudia's messages discussing this problem: 
<PRE>
You write,

&gt;  May 22 10:46:31 debian Pluto[25834]: packet from x.y.z.p:10014: 
&gt;  initial Main Mode message from x.y.z.p:10014 
                            but no connection has been authorized

This error occurs early in the connection negotiation process,
at the first step of IKE negotiation (Main Mode), which is itself the 
first of two negotiation phases involved in creating an IPSec connection.

Here, Linux FreeS/WAN receives a packet from a potential peer, which 
requests that they begin discussing a connection.

The &quot;no connection has been authorized&quot; means that there is no connection 
description in Linux FreeS/WAN's internal database that can be used to 
link your ipsec interface with that peer.

&quot;But of course I configured that connection!&quot; 

It may be that the appropriate connection description exists in ipsec.conf 
but has not been added to the database with ipsec auto --add myconn or the 
auto=add method. Or, the connection description may be misconfigured.

The only parameters that are relevant in this decision are left= and right= .
Local and remote ports are also taken into account -- we see that the port 
is printed in the message above -- but there is no way to control these
in ipsec.conf.


Failure at &quot;no connection has been authorized&quot; is similar to the
&quot;no connection is known for...&quot; error in the FAQ, and the &quot;no suitable
connection&quot; error described in the snapshot's FAQ. In all three cases,
Linux FreeS/WAN is trying to match parameters received in the
negotiation with the connection description in the local config file.

As it receives more information, its matches take more parameters into 
account, and become more precise:  first the pair of potential peers,
then the peer IDs, then the endpoints (including any subnets).

The &quot;no suitable connection for peer *&quot; occurs toward the end of IKE 
(Main Mode) negotiation, when the IDs are matched.

&quot;no connection is known for a/b===c...d&quot; is seen at the beginning of IPSec 
(Quick Mode, phase 2) negotiation, when the connections are matched using
left, right, and any information about the subnets.
</PRE>
<H3><A name="noDESsupport">Pluto: ... OAKLEY_DES_CBC is not supported.</A>
</H3>
 This message occurs when the other system attempts to negotiate a 
connection using single DES, which we do not support because it is <A href="#desnotsecure">
insecure</A>. 
<P> Our interoperation document has suggestions for <A href="#noDES">
 how to deal with</A> systems that attempt to use single DES. </P>
<H3><A name="notransform"> Pluto: ... no acceptable transform</A></H3>
 This message means that the other gateway has made a proposal for 
connection parameters, but nothing they proposed is acceptable to 
Pluto. Possible causes include: 
<UL>
<LI>misconfiguration on either end </LI>
<LI>policy incompatibilities, for example we require encrypted 
connections but they are trying to create one with just authentication </LI>
<LI>interoperation problems, for example they offer only single DES and 
FreeS/WAN does not support that. (see <A href="#noDES">below</A> for 
DES problems) </LI>
</UL>
 A more detailed explanation, from Pluto programmer Hugh Redelmeier:
<PRE>
Background:

When one IKE system (for example, Pluto) is negotiating with another
to create an SA, the Initiator proposes a bunch of choices and the
Responder replies with one that it has selected.

The structure of the choices is fairly complicated.  An SA payload
contains a list of lists of &quot;Proposals&quot;.  The outer list is a set of
choices: the selection must be from one element of this list.

Each of these elements is a list of Proposals.  A selection must be
made from each of the elements of the inner list.  In other words,
*all* of them apply (that is how, for example, both AH and ESP can
apply at once).

Within each of these Proposals is a list of Transforms.  For each
Proposal selected, one Transform must be selected (in other words,
each Proposal provides a choice of Transforms).

Each Transform is made up of a list of Attributes describing, well,
attributes.  Such as lifetime of the SA.  Such as algorithm to be
used.  All the Attributes apply to a Transform.

You will have noticed a pattern here: layers alternate between being
disjunctions (&quot;or&quot;) and conjunctions (&quot;and&quot;).

For Phase 1 / Main Mode (negotiating an ISAKMP SA), this structure is
cut back.  There must be exactly one Proposal.  So this degenerates to
a list of Transforms, one of which must be chosen.

In your case, no proposal was considered acceptable to Pluto (the
Responder).  So negotiation ceased.  Pluto logs the reason it rejects
each Transform.  So look back in the log to see what is going wrong.
</PRE>
<H3><A name="econnrefused">ECONNREFUSED error message</A></H3>
<P> From John Denker, on the mailing list:</P>
<PRE>
1)  The log message
  some IKE message we sent has been rejected with 
  ECONNREFUSED (kernel supplied no details)
is much more suitable than the previous version.  Thanks.

2) Minor suggestion for further improvement: it might be worth mentioning
that the command
  tcpdump -i eth1 icmp[0] != 8 and icmp[0] != 0
is useful for tracking down the details in question.  We shouldn't expect
all IPsec users to figure that out on their own.  The log message might
even provide a hint as to where to look in the docs.
</PRE>
<P> Reply From Pluto developer Hugh Redelmeier</P>
<PRE>
Good idea.

I've added a bit pluto(8)'s BUGS section along these lines.
I didn't have the heart to lengthen this message.
</PRE>
<LI><A name="no_eroute">klips_debug: ... no eroute!</A> This message 
means <A href="#KLIPS">KLIPS</A> has received a packet for which no 
IPSEC tunnel has been defined. </LI>
<P> Here is a more detailed duscussion from the team's tech support 
person Claudia Schmeing, responding to a query on the mailing list: </P>
<PRE>
&gt; Why ipsec reports no eroute! ???? IP Masq... is disabled.
In general, more information is required so that people on the list may
give you informed input. See doc/prob.report.

However, I can make some general comments on this type of error.

This error usually looks something like this (clipped from an archived
message):

&gt; ttl:64 proto:1 chk:45459 saddr:192.168.1.2 daddr:192.168.100.1
&gt; ... klips_debug:ipsec_findroute: 192.168.1.2-&gt;192.168.100.1
&gt; ... klips_debug:rj_match: * See if we match exactly as a host destination
&gt; ... klips_debug:rj_match: ** try to match a leaf, t=0xc1a260b0
&gt; ... klips_debug:rj_match: *** start searching up the tree, t=0xc1a260b0
&gt; ... klips_debug:rj_match: **** t=0xc1a260c8
&gt; ... klips_debug:rj_match: **** t=0xc1fe5960
&gt; ... klips_debug:rj_match: ***** not found.
&gt; ... klips_debug:ipsec_tunnel_start_xmit: Original head/tailroom: 2, 28
&gt; ... klips_debug:ipsec_tunnel_start_xmit: no eroute!: ts=47.3030, dropping.


What does this mean?
- --------------------

&quot;eroute&quot; stands for &quot;extended route&quot;, and is a special type of route 
internal to Linux FreeS/WAN. For more information about this type of route, 
see the section of man ipsec_auto on ipsec auto --route.

&quot;no eroute!&quot; here means, roughly, that Linux FreeS/WAN cannot find an 
appropriate tunnel that should have delivered this packet. Linux 
FreeS/WAN therefore drops the packet, with the message &quot;no eroute! ...
dropping&quot;, on the assumption that this packet is not a legitimate 
transmission through a properly constructed tunnel.


How does this situation come about?
- -----------------------------------

Linux FreeS/WAN has a number of connection descriptions defined in 
ipsec.conf. These must be successfully brought &quot;up&quot; to form actual tunnels.
(see doc/setup.html's step 15, man ipsec.conf and man ipsec_auto 
for details).

Such connections are often specific to the endpoints' IPs. However, in 
some cases they may be more general, for example in the case of 
Road Warriors where left or right is the special value %any.

When Linux FreeS/WAN receives a packet, it verifies that the packet has
come through a legitimate channel, by checking that there is an
appropriate tunnel through which this packet might legitimately have
arrived. This is the process we see above.

First, it checks for an eroute that exactly matches the packet. In the 
example above, we see it checking for a route that begins at 192.168.1.2
and ends at 192.168.100.1. This search favours the most specific match that
would apply to the route between these IPs. So, if there is a connection 
description exactly matching these IPs, the search will end there. If not, 
the code will search for a more general description matching the IPs.
If there is no match, either specific or general, the packet will be
dropped, as we see, above.

Unless you are working with Road Warriors, only the first, specific part 
of the matching process is likely to be relevant to you.


&quot;But I defined the tunnel, and it came up, why do I have this error?&quot;
- ---------------------------------------------------------------------

One of the most common causes of this error is failure to specify enough
connection descriptions to cover all needed tunnels between any two 
gateways and their respective subnets. As you have noticed, troubleshooting
this error may be complicated by the use of IP Masq. However, this error is
not limited to cases where IP Masq is used. 

See doc/configuration.html#multitunnel for a detailed example of the 
solution to this type of problem.
</PRE>
<H3><A name="SAused">... trouble writing to /dev/ipsec ... SA already 
in use</A></H3>
 From the mailing list: 
<PRE>
&gt; When I activate one manual tunnels it works, but when I try to activate
&gt; another tunnel, it gives an error message...
&gt; tunnel_2: Had trouble writing to /dev/ipsec SA:tun0x200@202.103.5.63 --
&gt; SA already in use.  Delete old one first.

Please read the Using manual keying in production discussion in
config.html, specifically the part about needing a different spi
(or spibase) setting for each connection. 
</PRE>
 This problem is also discussed in this FAQ under the heading <A href="#spi_error">
One manual connection works, but second one fails</A>. 
<H3><A name="ignore">... ignoring ... payload</A></H3>
 This message is harmless. The IKE protocol provides for a number of 
optional messages types: 
<UL>
<LI>delete SA </LI>
<LI>initial contact </LI>
<LI>vendor ID </LI>
<LI> ... </LI>
</UL>
 An implementation is never required to send these, but they are 
allowed to.  The receiver is not required to do anything with them. 
FreeS/WAN ignores them, but notifies you via the logs. 
<P> For the &quot;ignoring delete SA Payload&quot; message, see also the 
discussion below of cleaning up <A href="#deadtunnel">dead tunnels</A>. </P>
<H2><A name="canI">Can I ...</A></H2>
<H3><A name="reload">Can I reload connection info without restarting?</A>
</H3>
 Yes, you can do this. Here are the details, in a mailing list message 
from Pluto programmer Hugh Redelmeier: 
<PRE>
| How can I reload config's without restarting all of pluto and klips?  I am using
| FreeSWAN -&gt; PGPNet in a medium sized production environment, and would like to be
| able to add new connections ( i am using include config/* ) without dropping current
| SA's.
| 
| Can this be done?
| 
| If not, are there plans to add this kind of feature?

        ipsec auto --add whatever
This will look in the usual place (/etc/ipsec.conf) for a conn named
whatever and add it.

If you added new secrets, you need to do
        ipsec auto --rereadsecrets
before Pluto needs to know those secrets.

| I have looked (perhaps not thoroughly enough tho) to see how to do this:

There may be more bits to look for, depending on what you are trying
to do.
</PRE>
<P> Another useful command here is <NOBR><VAR>ipsec auto --replace 
&lt;conn_name&gt;</VAR></NOBR> which re-reads data for a named connection. </P>
<H3><A name="masq.faq">Can I use several masqueraded subnets?</A></H3>
 Yes. This is done all the time. See the discussion in our <A href="#route_or_not">
setup</A> document. The only restriction is that the subnets on the two 
ends must not overlap. See the next question. 
<P> Here is a mailing list message on the topic. The user incorrectly 
thinks you need a 2.4 kernel for this -- actually various people have 
been doing it on 2.0 and 2.2 for quite some time -- but he has it right 
for 2.4. </P>
<PRE>
Subject: Double NAT and freeswan working :)
   Date: Sun, 11 Mar 2001
   From: Paul Wouters &lt;paul@xtdnet.nl&gt;

Just to share my pleasure, and make an entry for people who are searching
the net on how to do this. Here's the very simple solution to have a double
NAT'ed network working with freeswan. (Not sure if this is old news, but I'm
not on the list (too much spam) and I didn't read this in any HOWTO/FAQ/doc
on the freeswan site yet (Sandy, put it in! :)

10.0.0.0/24 --- 10.0.0.1 a.b.c.d  ---- a.b.c.e {internet} ----+
                                                              |
10.0.1.0/24 --- 10.0.1.1 f.g.h.i  ---- f.g.h.j {internet} ----+

the goal is to have the first network do a VPN to the second one, yet also
have NAT in place for connections not destinated for the other side of the
NAT. Here the two Linux security gateways have one real IP number (cable
modem, dialup, whatever.

The problem with NAT is you don't want packets from 10.*.*.* to 10.*.*.*
to be NAT'ed. While with Linux 2.2, you can't, with Linux 2.4 you can.

(This has been tested and works for 2.4.2 with Freeswan snapshot2001mar8b)

relevant parts of /etc/ipsec.conf:

        left=f.g.h.i
        leftsubnet=10.0.1.0/24
        leftnexthop=f.g.h.j
        leftfirewall=yes
        leftid=@firewall.netone.nl
        leftrsasigkey=0x0........
        right=a.b.c.d
        rightsubnet=10.0.0.0/24
        rightnexthop=a.b.c.e
        rightfirewall=yes
        rightid=@firewall.nettwo.nl
        rightrsasigkey=0x0......
        # To authorize this connection, but not actually start it, at startup,
        # uncomment this.
        auto=add

and now the real trick. Setup the NAT correctly on both sites:

iptables -t nat -F
iptables -t nat -A POSTROUTING -o eth0 -d \! 10.0.0.0/8 -j MASQUERADE

This tells the NAT code to only do NAT for packets with destination other then
10.* networks. note the backslash to mask the exclamation mark to protect it
against the shell.

Happy painting :)

Paul
</PRE>
<H3><A name="dup_route">Can I use subnets masqueraded to the same 
addresses?</A></H3>
<STRONG> No.</STRONG> The notion that IP addresses are unique is one of 
the fundamental principles of the IP protocol. Messing with it is 
exceedingly perilous. 
<P> Fairly often a situation comes up where a company has several 
branches, all using the same <A href="#non-routable">non-routable 
addresses</A>, perhaps 192.168.0.0/24. This works fine as long as those 
nets are kept distinct. The <A href="#masq">IP masquerading</A> on 
their firewalls ensures that packets reaching the Internet carry the 
firewall address, not the private address. </P>
<P> This can break down when IPSEC enters the picture. FreeS/WAN builds 
a tunnel that pokes through both masquerades and delivers packets from <VAR>
leftsubnet</VAR> to <VAR>rightsubnet</VAR> and vice versa. For this to 
work, the two subnets <EM>must</EM> be distinct. </P>
<P> There are several solutions to this problem. </P>
<UL>
<LI>Usually, you <STRONG>re-number the subnets</STRONG>. Perhaps the 
Vancouver office becomes 192.168.101.0/24, Calgary 192.168.102.0/24 and 
so on. FreeS/WAN can happily handle this. With, for example <VAR>
leftsubnet=192.168.101.0/24</VAR> and <VAR>rightsubnet=192.168.102.0/24</VAR>
 in a connection description, any machine in Calgary can talk to any 
machine in Vancouver. If you want to be more restrictive and use 
something like <VAR>leftsubnet=192.168.101.128/25</VAR> and <VAR>
rightsubnet=192.168.102.240/28</VAR> so only certain machines on each 
end have access to the tunnel, that's fine too. </LI>
<LI>You could also <STRONG>split the subnet</STRONG> into smaller ones, 
for example using <VAR>192.168.1.0/25</VAR> in Vancouver and <VAR>
rightsubnet=192.168.0.128/25</VAR> in Calgary. </LI>
<LI>Alternately, you can just <STRONG>give up routing</STRONG> directly 
to machines on the subnets. Omit the <VAR>leftsubnet</VAR> and <VAR>
rightsubnet</VAR> parameters from your connection descriptions. Your 
IPSEC tunnels will then run between the public interfaces of the two 
firewalls. Packets will be masqueraded both before they are put into 
tunnels and after they emerge. Your Vancouver client machines will see 
only one Calgary machine, the firewall. </LI>
</UL>
<H3><A name="road.masq">Can I assign a road warrior an address on my 
net?</A></H3>
 Yes, but it is tricky. This has been discussed on the mailing list. 
The discussion was not entirely clear to me, so I cannot yet document 
the procedures. At this point, all I know is: 
<UL>
<LI>You can use a variant of the <A href="#extruded">extruded subnet</A>
 procedure. </LI>
<LI>You have to avoid having the road warrior's assigned address within 
the range you actually use at home base. See previous question. </LI>
<LI>On the other hand, you want the roadwarrior's address to be within 
the range that <EM>seems</EM> to be on your network. </LI>
</UL>
<P> For example, you might have: </P>
<DL>
<DT>leftsubnet=a.b.c.0/25</DT>
<DD>head office network</DD>
<DT>rightsubnet=a.b.c.240/32</DT>
<DD>extruded to a road warrior</DD>
<DT>a.b.c.0/24</DT>
<DD>whole network, including both the above</DD>
</DL>
<H3><A name="QoS">Can I use Quality of Service routing with FreeS/WAN?</A>
</H3>
 From project technical lead Henry Spencer: 
<PRE>
&gt; Do QoS add to FreeS/WAN?
&gt;For example integrating DiffServ and FreeS/WAN?

With a current version of FreeS/WAN, you will have to add hidetos=no to
the config-setup section of your configuration file.  By default, the TOS
field of tunnel packets is zeroed; with hidetos=no, it is copied from the
packet inside.  (This is a modest security hole, which is why it is no
longer the default.)

DiffServ does not interact well with tunneling in general.  Ways of
improving this are being studied.
</PRE>
<P> Copying the TOS information from the encapsulated packet to the 
outer header reveals the TOS information to an eavesdropper. It is not 
clear whether or how an attacker could use this information, but since 
we do not have to give it to him, our default is not to. </P>
<P> See <A href="manpage.d/ipsec.conf.5.html">ipsec.conf(5)</A> for 
more on the <VAR>hidetos=</VAR> parameter. </P>
<H3><A name="deadtunnel">Can I recognise dead tunnels and shut them 
down?</A></H3>
 There is no general mechanism to do this is in the IPSEC protocols. 
<P> From time to time, there is discussion on the IETF Working Group <A href="#IETF">
mailing list</A> of adding a &quot;keep-alive&quot; mechanism (which some say 
should be called &quot;make-dead&quot;), but it is a fairly complex problem and 
no consensus has been reached on whether or how it should be done. </P>
<P> The protocol does have optional <A href="#ignore">delete-SA</A>
 messages which one side can send when it closes a connection in hopes 
this will cause the other side to do the same. FreeS/WAN does not 
currently support these. In any case, they would not solve the problem 
since: </P>
<UL>
<LI>a gateway that crashes or hangs would not send the messages </LI>
<LI>the sender is not required to send them </LI>
<LI>they are not authenticated, so any receiver that trusts them leaves 
itself open to a <A href="#DoS">denial of service</A> attack </LI>
<LI>the receiver is not required to do anything about them </LI>
<LI>the receiver cannot acknowledge them; the protocol provides no 
mechanism for that </LI>
<LI>since they are not acknowledged, the sender cannot rely on them </LI>
</UL>
<P> However, connections do have limited lifetimes and you can control 
how many attempts your gateway makes to rekey before giving up. For 
example, you can set: </P>
<PRE>
conn default
        keyingtries=3
        keylife=30m
</PRE>
 With these settings old connections will be cleaned up. Within 30 
minutes of the other end dying, rekeying will be attempted. If it 
succeeds, the new connection replaces the old one. If it fails, no new 
connection is created. Either way, the old connection is taken down 
when its lifetime expires. 
<P> Here is a mailing list message on the topic from FreeS/WAN tech 
support person Claudia Schmeing: </P>
<PRE>
You ask how to determine whether a tunnel is redundant:

&gt; Can anybody explain the best way to determine this. Esp when a RW has
&gt; disconnected? I thought 'ipsec auto --status' might be one way.

If a tunnel goes down from one end, Linux FreeS/WAN on the
other end has no way of knowing this until it attempts to rekey.
Once it tries to rekey and fails, it will 'know' that the tunnel is 
down.

Because it doesn't have a way of knowing the state until this point, 
it will also not be able to tell you the state via ipsec auto --status.

&gt; However, comparing output from a working tunnel with that of one that
&gt; was closed 
&gt; did not show clearly show tunnel status.

If your tunnel is down but not 'unrouted' (see man ipsec_auto), you
should not be able to ping the opposite side of the tunnel. You can
use this as an indicator of tunnel status.

On a related note, you may be interested to know that as of 1.7, 
redundant tunnels caused by RW disconnections are likely to be 
less of a pain. From doc/CHANGES:

    There is a new configuration parameter, uniqueids, to control a new Pluto
    option:  when a new connection is negotiated with the same ID as an old
    one, the old one is deleted immediately.  This should help eliminate
    dangling Road Warrior connections when the same Road Warrior reconnects. 
    It thus requires that IDs not be shared by hosts (a previously legal but
    probably useless capability).  NOTE WELL:  the sample ipsec.conf now has
    uniqueids=yes in its config-setup section.


Cheers,

Claudia
</PRE>
<H3><A name="demanddial">Can I build IPSEC tunnels over a demand-dialed 
link?</A></H3>
 This is possible, but not easy. FreeS/WAN technical lead Henry Spencer 
wrote: 
<PRE>
&gt; 5. If the ISDN link goes down in between and is reestablished, the SAs
&gt; are still up but the eroute are deleted and the IPSEC interface shows
&gt; garbage (with ifconfig)
&gt; 6. Only restarting IPSEC will bring the VPN back online.

This one is awkward to solve.  If the real interface that the IPsec
interface is mounted on goes down, it takes most of the IPsec machinery
down with it, and a restart is the only good way to recover. 

The only really clean fix, right now, is to split the machines in two: 

1. A minimal machine serves as the network router, and only it is aware
that the link goes up and down. 

2. The IPsec is done on a separate gateway machine, which thinks it has
a permanent network connection, via the router.

This is clumsy but it does work.  Trying to do both functions within a
single machine is tricky.  There is a software package (diald) which will
give the illusion of a permanent connection for demand-dialed modem
connections; I don't know whether it's usable for ISDN, or whether it can
be made to cooperate properly with FreeS/WAN. 

Doing a restart each time the interface comes up *does* work, although it
is a bit painful.  I did that with PPP when I was running on a modem link;
it wasn't hard to arrange the PPP scripts to bring IPsec up and down at
the right times.  (I'd meant to investigate diald but never found time.)

In principle you don't need to do a complete restart on reconnect, but you
do have to rebuild some things, and we have no nice clean way of doing
only the necessary parts.
</PRE>
 In the same thread, one user commented: 
<PRE>
Subject: Re: linux-ipsec: IPSEC and Dial Up Connections
   Date: Wed, 22 Nov 2000
   From: Andy Bradford &lt;andyb@calderasystems.com&gt;

On Wed, 22 Nov 2000 19:47:11 +0100, Philip Reetz wrote:

&gt; Are there any ideas what might be the cause of the problem and any way
&gt; to work around it.
&gt; Any help is highly appreciated.

On my laptop, when using ppp there is a ip-up script in /etc/ppp that 
will be executed each time that the ppp interface is brought up.  
Likewise there is an ip-down script that is called when it is taken 
down.  You might consider custimzing those to stop and start FreeS/Wan 
with each connection.  I believe that ISDN uses the same files, though 
I could be wrong---there should be something similar though.
</PRE>
<H3><A name="GRE">Can I build GRE tunnels over IPSEC?</A></H3>
 This is possible in theory, but we are short on practical details. If 
you do this, please let us know via the <A href="mail.html">mailing 
lists</A>. 
<P> Theere is a <A href="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/07/msg00209.html">
list message</A> with links to relevant resources. </P>
<H3><A name="PKIcert"> Does FreeS/WAN support X.509 or other PKI 
certificates?</A></H3>
 FreeS/WAN, as distributed, does not currently support use of <A href="#X509">
X.509</A> or other <A href="#PKI">PKI</A> certificates for 
authentication of gateways. We are concentrating on moving toward 
authentication via <A href="#SDNS">Secure DNS</A> and <A href="#carpediem">
opportunistic encryption</A>; X.509 support is not (or at least not 
yet) on the priority list. 
<P> On the other hand, it is a priority for some users and 
user-contributed patches are available to add X.509 certificate support 
to FreeS/WAN now. See the <A href="#patch"> patches</A> section of our 
web references document for details. </P>
<H3><A name="Radius">Does FreeS/WAN support Radius or other user 
authentication?</A></H3>
 Not yet. So far, there is no standard way to authenticate users for 
IPSEC, though there is a very active IETF <A href="http://www.ietf.org/html.charters/ipsra-charter.html">
working group</A> looking at the problem, and several vendors have 
implemented various things already. 
<P> In the absence of a standard, user authentication has not been a 
priority for the FreeS/WAN team, and is unlikely to become one. This 
would be a good project for a volunteer, perhaps a staff member or 
contractor at some company that needs the feature. Certainly our team 
would co-operate with such an effort; we just don't have time to do it. </P>
<P> Of course, there are various ways to avoid any requirement for user 
authentication in IPSEC. Consider the situation where road warriors 
build IPSEC tunnels to your office net and you are considering 
requiring user authentication during tunnel negotiation. Alternatives 
include: </P>
<UL>
<LI>If you can trust the road warrior machines, then set them up so 
that only authorised users can create tunnels. If your road warriors 
use laptops, consider the possibility of theft. </LI>
<LI>If the tunnel only provides access to particular servers and you 
can trust those servers, then set the servers up to require user 
authentication. </LI>
</UL>
 If either of those is trustworthy, it is not clear that you need user 
authentication in IPSEC. 
<H3><A name="noDES.faq">Does FreeS/WAN support single DES encryption?</A>
</H3>
 No, single DES is not used either at the <A href="#IKE">IKE</A> level 
for negotiating connections or at the <A href="#IPSEC">IPSEC</A> level 
for actually building them. 
<P> Single DES is <A href="#desnotsecure">insecure</A>. As we see it, 
it is more important to deliver real security than to comply with a 
standard which has been subverted into allowing use of inadequate 
methods. See this <A href="#weak">discussion</A>. </P>
<P> If you want to interoperate with an IPSEC implementation which 
offers only DES, see our <A href="#noDES">interoperation</A> document. </P>
<H2><A name="spam">Why don't you restrict the mailing lists to reduce 
spam?</A></H2>
<P> As a matter of policy, some of our <A href="mail.html">mailing lists</A>
 need to be open to non-subscribers. Project management feel strongly 
that maintaining this openness is more important than blocking spam. </P>
<UL>
<LI>Users should be able to get help or report bugs without 
subscribing. </LI>
<LI>Even a user who is subscribed may not have access to his or her 
subscribed account when he or she needs help, miles from home base in 
the middle of setting up a client's gateway. </LI>
<LI>There is arguably a legal requirement for this policy. A US 
resident or citizen could be charged under munitions export laws for 
providing technical assistance to a foreign cryptographic project. Such 
a charge would be more easily defended if the discussion takes place in 
public, on an open list. </LI>
</UL>
<P> This has been discussed several times at some length on the list. 
See the <A href="#archive">list archives</A>. Bringing the topic up 
again is unlikely to be useful. Please don't. Or at the very least, 
please don't without reading the archives and being certain that 
whatever you are about to suggest has not yet been discussed. </P>
<P> Project technical lead Henry Spencer summarised one discussion: <BLOCKQUOTE>
 For the third and last time:  this list *will* *not* do address-based 
filtering.  This is a policy decision, not an implementation problem. 
The decision is final, and is not open to discussion.  This needs to be 
communicated better to people, and steps are being taken to do that. </BLOCKQUOTE>
 Adding this FAQ section is one of the steps he refers to. </P>
<P> You have various options other than just putting up with the spam, 
filtering it yourself, or unsubscribing: </P>
<UL>
<LI>subscribe only to one or both of our lists with restricted posting 
rules: 
<UL>
<LI><A href="mailto:briefs@lists.freeswan.org?body=subscribe">briefs</A>
, weekly list summaries </LI>
<LI><A href="mailto:announce@lists.freeswan.org?body=subscribe">announce</A>
, project-related announcements </LI>
</UL>
</LI>
<LI>read the other lists via the <A href="#archive">archives</A></LI>
</UL>
<P> A number of tools are available to filter mail. </P>
<UL>
<LI>Many mail readers include some filtering capability. </LI>
<LI>Many Linux distributions include <A href="http://www.procmail.org/">
procmail(8)</A> for server-side filtering. </LI>
<LI>The <A href="http://www.spambouncer.org/">Spam Bouncer</A> is a set 
of procmail(8) filters designed to combat spam. </LI>
<LI>Roaring Penguin have a <A href="http://www.roaringpenguin.com/mimedefang/">
MIME defanger</A> that removes potentially dangerous attachments. </LI>
</UL>
<P> If you use your ISP's mail server rather than running your own, 
consider suggesting to the ISP that they tag suspected spam as <A href="http://www.msen.com/1997/spam.html#SUSPECTED">
this ISP</A> does. They could just refuse mail from dubious sources, 
but that is tricky and runs some risk of losing valuable mail or 
senselessly annoying senders and their admins. However, they can safely 
tag and deliver dubious mail. The tags can greatly assist your 
filtering. </P>
<P> For information on tracking down spammers, see these <A href="http://www.rahul.net/falk/#howtos">
HowTos</A>, or the <A href="http://www.sputum.com/index2.html">Sputum</A>
 site. Sputum have a Linux anti-spam screensaver available for 
download. </P>
<P> Here is a more detailed message from Henry: </P>
<PRE>
On Mon, 15 Jan 2001, Jay Vaughan wrote:
&gt; I know I'm flogging a dead horse here, but I'm curious as to the reasons for
&gt; an aversion for a subscriber-only mailing list?

Once again:  for legal reasons, it is important that discussions of these
things be held in a public place -- the list -- and we do not want to
force people to subscribe to the list just to ask one question, because
that may be more than merely inconvenient for them.  There are also real
difficulties with people who are temporarily forced to use alternate
addresses; that is precisely the time when they may be most in need of
help, yet a subscribers-only policy shuts them out.

These issues do not apply to most mailing lists, but for a list that is
(necessarily) the primary user support route for a crypto package, they
are very important.  This is *not* an ordinary mailing list; it has to
function under awkward constraints that make various simplistic solutions
inapplicable or undesirable. 

&gt; We're *ALL* sick of hearing about list management problems, not just you
&gt; old-timers, so why don't you DO SOMETHING EFFECTIVE ABOUT IT...

Because it's a lot harder than it looks, and many existing &quot;solutions&quot;
have problems when examined closely.

&gt; A suggestion for you, based on 10 years of experience with management of my
&gt; own mailing lists would be to use mailman, which includes pretty much every
&gt; feature under the sun that you guys need and want, plus some.  The URL for
&gt; mailman...

I assure you, we're aware of mailman.  Along with a whole bunch of others,
including some you almost certainly have never heard of (I hadn't!).

&gt; As for the argument that the list shouldn't be configured to enforce
&gt; subscription - I contend that it *SHOULD* AT LEAST require manual address
&gt; verification in order for posts to be redirected.

You do realize, I hope, that interposing such a manual step might cause
your government to decide that this is not truly a public forum, and thus
you could go to jail if you don't get approval from them before mailing to
it?  If you think this sounds irrational, your government is noted for
making irrational decisions in this area; we can't assume that they will
suddenly start being sensible.  See above about awkward constraints.  You
may be willing to take the risk, but we can't, in good conscience, insist
that all users with problems do so. 

                                                          Henry Spencer
                                                       henry@spsystems.net
</PRE>
 and a message on the topic from project leader John Gilmore: 
<PRE>
Subject: Re: The linux-ipsec list's topic
   Date: Sat, 30 Dec 2000
   From: John Gilmore &lt;gnu@toad.com&gt;

I'll post this single message, once only, in this discussion, and then
not burden the list with any further off-topic messages.  I encourage
everyone on the list to restrain themself from posting ANY off-topic
messages to the linux-ipsec list.

The topic of the linux-ipsec mailing list is the FreeS/WAN software.

I frequently see &quot;discussions about spam on a list&quot; overwhelm the
volume of &quot;actual spam&quot; on a list. BOTH kinds of messages are
off-topic messages.  Twenty anti-spam messages take just as long to
detect and discard as twenty spam messages.

The Linux-ipsec list encourages on-topic messages from people who have
not joined the list itself.  We will not censor messages to the list
based on where they originate, or what return address they contain.
In other words, non-subscribers ARE allowed to post, and this will not
change.  My own valid contributions have been rejected out-of-hand by
too many other mailing lists for me to want to impose that censorship
on anybody else's contributions.  And every day I see the damage that
anti-spam zeal is causing in many other ways; that zeal is far more
damaging to the culture of the Internet than the nuisance of spam.

In general, it is the responsibility of recipients to filter,
prioritize, or otherwise manage the handling of email that comes to
them.  It is not the responsibility of the rest of the Internet
community to refrain from sending messages to recipients that they
might not want to see.  If your software infrastructure for managing
your incoming email is insufficient, then improve it.  If you think
the signal-to-noise ratio on linux-ipsec is too poor, then please
unsubscribe.  But don't further increase the noise by posting to the
linux-ipsec list about those topics.

        John Gilmore
        founder sponsor, FreeS/WAN project
</PRE>
<HR>
<H1><A name="performance">Performance of FreeS/WAN</A></H1>
 The performance of FreeS/WAN is adequate for most applications. 
Perhaps because of that, there are few detailed measurements. Those we 
know of are below. 
<P> The University of Wales at Aberystwyth has done quite detailed 
 tests and put <A href="http://tsc.llwybr.org.uk/public/reports/SWANTIME/">
their  results</A> on the web.</P>
<P><EM> Even a 486 can handle a T1 line</EM>, according to this mailing 
 list message:</P>
<PRE>Subject: Re: linux-ipsec: IPSec Masquerade
   Date: Fri, 15 Jan 1999 11:13:22 -0500
   From: Michael Richardson 

. . . A 486/66 has been clocked by Phil Karn to do
10Mb/s encryption.. that uses all the CPU, so half that to get some CPU,
and you have 5Mb/s. 1/3 that for 3DES and you get 1.6Mb/s....</PRE>
<P>and a piece of mail from project technical lead Henry Spencer:</P>
<PRE>Oh yes, and a new timing point for Sandy's docs...  A P60 -- yes, a 60MHz
Pentium, talk about antiques -- running a host-to-host tunnel to another
machine shows an FTP throughput (that is, end-to-end results with a real
protocol) of slightly over 5Mbit/s either way.  (The other machine is much
faster, the network is 100Mbps, and the ether cards are good ones... so
the P60 is pretty definitely the bottleneck.)</PRE>
<P> Here is some additional data from the mailing list. </P>
<PRE>
Subject: FreeSWAN (specically KLIPS) performance measurements
   Date: Thu, 01 Feb 2001
   From: Nigel Metheringham &lt;Nigel.Metheringham@intechnology.co.uk&gt;


I've spent a happy morning attempting performance tests against KLIPS 
(this is due to me not being able to work out the CPU usage of KLIPS so 
resorting to the crude measurements of maximum throughput to give a 
baseline to work out loading of a box).

Measurements were done using a set of 4 boxes arranged in a line, each 
connected to the next by 100Mbit duplex ethernet.  The inner 2 had an 
ipsec tunnel between them (shared secret, but I was doing measurements 
when the tunnel was up and running - keying should not be an issue 
here).  The outer pair of boxes were traffic generators or traffic sink.

The crypt boxes are Compaq DL380s - Uniprocessor PIII/733 with 256K 
cache.  They have 128M main memory.  Nothing significant was running on 
the boxes other than freeswan.  The kernel was a 2.2.19pre7 patched 
with freeswan and ext3.

Without an ipsec tunnel in the chain (ie the 2 inner boxes just being 
100BaseT routers), throughput (measured with ttcp) was between 10644 
and 11320 KB/sec

With an ipsec tunnel in place, throughput was between 3268 and 3402 
KB/sec

These measurements are for data pushed across a TCP link, so the 
traffic on the wire between the 2 ipsec boxes would have been higher 
than this....

vmstat (run during some other tests, so not affecting those figures) on 
the encrypting box shows approx 50% system 50% idle CPU - which I 
don't believe at all.  Interactive feel of the box was significantly 
sluggish.

I also tried running the kernel profiler (see man readprofile) during 
test runs.

A box doing primarily decrypt work showed basically nothing happening - 
I assume interrupts were off.
A box doing encrypt work showed the following:-
 Ticks Function                                   Load
 ~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~    ~~~~~~
   956 total                                      0.0010
   532 des_encrypt2                               0.1330
   110 MD5Transform                               0.0443
    97 kmalloc                                    0.1880
    39 des_encrypt3                               0.1336
    23 speedo_interrupt                           0.0298
    14 skb_copy_expand                            0.0250
    13 ipsec_tunnel_start_xmit                    0.0009
    13 Decode                                     0.1625
    11 handle_IRQ_event                           0.1019
    11 .des_ncbc_encrypt_end                      0.0229
    10 speedo_start_xmit                          0.0188
     9 satoa                                      0.0225
     8 kfree                                      0.0118
     8 ip_fragment                                0.0121
     7 ultoa                                      0.0365
     5 speedo_rx                                  0.0071
     5 .des_encrypt2_end                          5.0000
     4 _stext                                     0.0140
     4 ip_fw_check                                0.0035
     2 rj_match                                   0.0034
     2 ipfw_output_check                          0.0200
     2 inet_addr_type                             0.0156
     2 eth_copy_and_sum                           0.0139
     2 dev_get                                    0.0294
     2 addrtoa                                    0.0143
     1 speedo_tx_buffer_gc                        0.0024
     1 speedo_refill_rx_buf                       0.0022
     1 restore_all                                0.0667
     1 number                                     0.0020
     1 net_bh                                     0.0021
     1 neigh_connected_output                     0.0076
     1 MD5Final                                   0.0083
     1 kmem_cache_free                            0.0016
     1 kmem_cache_alloc                           0.0022
     1 __kfree_skb                                0.0060
     1 ipsec_rcv                                  0.0001
     1 ip_rcv                                     0.0014
     1 ip_options_fragment                        0.0071
     1 ip_local_deliver                           0.0023
     1 ipfw_forward_check                         0.0139
     1 ip_forward                                 0.0011
     1 eth_header                                 0.0040
     1 .des_encrypt3_end                          0.0833
     1 des_decrypt3                               0.0034
     1 csum_partial_copy_generic                  0.0045
     1 call_out_firewall                          0.0125

Hope this data is helpful to someone... however the lack of visibility 
into the decrypt side makes things less clear
</PRE>
<H2><A name="methods">Methods of mesasuring</A></H2>
 If you want to measure the loads FreeS/WAN puts on a system, note that 
tools such as top or measurements such as load average are more-or-less 
useless for this. They are not designed to measure something that does 
most of its work inside the kernel.
<P> Here is a message from FreeS/WAN kernel programmer Richard Guy 
Briggs on this: </P>
<PRE>
&gt; I have a batch of boxes doing Freeswan stuff.
&gt; I want to measure the CPU loading of the Freeswan tunnels, but am 
&gt; having trouble seeing how I get some figures out...
&gt; 
&gt;  - Keying etc is in userspace so will show up on the per-process
&gt;    and load average etc (ie pluto's load)

Correct.

&gt;  - KLIPS is in the kernel space, and does not show up in load average
&gt;    I think also that the KLIPS per-packet processing stuff is running
&gt;    as part of an interrupt handler so it does not show up in the
&gt;    /proc/stat system_cpu or even idle_cpu figures

It is not running in interrupt handler.  It is in the bottom half.
This is somewhere between user context (careful, this is not
userspace!) and hardware interrupt context.

&gt; Is this correct, and is there any means of instrumenting how much the 
&gt; cpu is being loaded - I don't like the idea of a system running out of 
&gt; steam whilst still showing 100% idle CPU :-)

vmstat seems to do a fairly good job, but use a running tally to get a
good idea.  A one-off call to vmstat gives different numbers than a
running stat.  To do this, put an interval on your vmstat command
line.
</PRE>
 and another suggestion from the same thread: 
<PRE>
Subject: Re: Measuring the CPU usage of Freeswan
   Date: Mon, 29 Jan 2001
   From: Patrick Michael Kane &lt;modus@pr.es.to&gt;
 
The only truly accurate way to accurately track FreeSWAN CPU usage is to use
a CPU soaker. You run it on an unloaded system as a benchmark, then start up
FreeSWAN and take the difference to determine how much FreeSWAN is eating.
I believe someone has done this in the past, so you may find something in
the FreeSWAN archives.  If not, someone recently posted a URL to a CPU
soaker benchmark tool on linux-kernel.
</PRE>
</BODY>
</HTML>